From 595c831d2768547d49e6daf147889c6aee15f9a4 Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Mon, 18 Nov 2013 18:59:41 -0500 Subject: Snort 2.9.5.5 pkg v3.0.0 update --- config/snort/snort.inc | 1266 ++++++++++++------ config/snort/snort.xml | 56 +- config/snort/snort_alerts.php | 13 +- config/snort/snort_barnyard.php | 4 +- config/snort/snort_blocked.php | 4 +- config/snort/snort_check_for_rule_updates.php | 441 +++---- config/snort/snort_define_servers.php | 25 +- config/snort/snort_download_updates.php | 2 +- config/snort/snort_edit_hat_data.php | 2 +- config/snort/snort_frag3_engine.php | 402 ++++++ config/snort/snort_ftp_client_engine.php | 438 +++++++ config/snort/snort_ftp_server_engine.php | 387 ++++++ config/snort/snort_httpinspect_engine.php | 751 +++++++++++ config/snort/snort_import_aliases.php | 327 +++++ config/snort/snort_interfaces_edit.php | 158 ++- config/snort/snort_interfaces_global.php | 138 +- config/snort/snort_interfaces_suppress.php | 2 +- config/snort/snort_interfaces_suppress_edit.php | 6 +- config/snort/snort_interfaces_whitelist.php | 2 +- config/snort/snort_interfaces_whitelist_edit.php | 28 +- config/snort/snort_migrate_config.php | 298 +++++ config/snort/snort_post_install.php | 1440 ++++++++++++++++++++ config/snort/snort_preprocessors.php | 1530 ++++++++++++++-------- config/snort/snort_rules.php | 2 +- config/snort/snort_rules_flowbits.php | 6 +- config/snort/snort_rulesets.php | 79 +- config/snort/snort_select_alias.php | 245 ++++ config/snort/snort_stream5_engine.php | 670 ++++++++++ 28 files changed, 7339 insertions(+), 1383 deletions(-) create mode 100644 config/snort/snort_frag3_engine.php create mode 100644 config/snort/snort_ftp_client_engine.php create mode 100644 config/snort/snort_ftp_server_engine.php create mode 100644 config/snort/snort_httpinspect_engine.php create mode 100644 config/snort/snort_import_aliases.php create mode 100644 config/snort/snort_migrate_config.php create mode 100644 config/snort/snort_post_install.php create mode 100644 config/snort/snort_select_alias.php create mode 100644 config/snort/snort_stream5_engine.php diff --git a/config/snort/snort.inc b/config/snort/snort.inc index 98b80d66..1a6f1ac6 100755 --- a/config/snort/snort.inc +++ b/config/snort/snort.inc @@ -43,11 +43,15 @@ require_once("filter.inc"); ini_set("memory_limit", "192M"); // Explicitly declare this as global so it works through function call includes -global $rebuild_rules; +global $rebuild_rules, $pfSense_snort_version; + +// Grab the Snort binary version programmatically +$snortver = array(); +exec("/usr/local/bin/snort -V 2>&1 |/usr/bin/grep Version | /usr/bin/cut -c20-26", $snortver); +$snort_version = $snortver[0]; /* package version */ -$snort_version = "2.9.4.6"; -$pfSense_snort_version = "2.6.1"; +$pfSense_snort_version = "3.0.0"; $snort_package_version = "Snort {$snort_version} pkg v. {$pfSense_snort_version}"; // Define SNORTDIR and SNORTLIBDIR constants according to FreeBSD version (PBI support or no PBI) @@ -66,6 +70,7 @@ else { } /* Define some useful constants for Snort */ +/* Be sure to include trailing slash on the URL defines */ define("SNORTLOGDIR", "/var/log/snort"); define("ET_DNLD_FILENAME", "emerging.rules.tar.gz"); define("ETPRO_DNLD_FILENAME", "etpro.rules.tar.gz"); @@ -73,6 +78,10 @@ define("GPLV2_DNLD_FILENAME", "community-rules.tar.gz"); define("FLOWBITS_FILENAME", "flowbit-required.rules"); define("ENFORCING_RULES_FILENAME", "snort.rules"); define("RULES_UPD_LOGFILE", SNORTLOGDIR . "/snort_rules_update.log"); +define("VRT_FILE_PREFIX", "snort_"); +define("GPL_FILE_PREFIX", "GPLv2_"); +define("ET_OPEN_FILE_PREFIX", "emerging-"); +define("ET_PRO_FILE_PREFIX", "etpro-"); /* Rebuild Rules Flag -- if "true", rebuild enforcing rules and flowbit-rules files */ $rebuild_rules = false; @@ -100,24 +109,26 @@ function snort_is_single_addr_alias($alias) { return true; } -function snort_expand_port_range($ports) { +function snort_expand_port_range($ports, $delim = ',') { /**************************************************/ /* This function examines the passed ports string */ /* and expands any embedded port ranges into the */ - /* individual ports separated by commas. A port */ - /* range is indicated by a colon in the string. */ + /* individual ports separated by the specified */ + /* delimiter. A port range is indicated by a */ + /* colon in the string. */ /* */ /* On Entry: $ports ==> string to be evaluated */ - /* with commas separating */ + /* with {$delim} separating */ /* the port values. */ /* Returns: string with any encountered port */ - /* ranges expanded. */ + /* ranges expanded and the values */ + /* delimited by {$delim}. */ /**************************************************/ $value = ""; - // Split the incoming string on the commas - $tmp = explode(",", $ports); + // Split the incoming string on the specified delimiter + $tmp = explode($delim, $ports); // Look for any included port range and expand it foreach ($tmp as $val) { @@ -125,17 +136,17 @@ function snort_expand_port_range($ports) { $start = strtok($val, ":"); $end = strtok(":"); if ($end !== false) { - $val = $start . ","; + $val = $start . $delim; for ($i = intval($start) + 1; $i < intval($end); $i++) - $val .= strval($i) . ","; + $val .= strval($i) . $delim; $val .= $end; } } - $value .= $val . ","; + $value .= $val . $delim; } - // Remove any trailing comma in return value - return trim($value, ","); + // Remove any trailing delimiter in return value + return trim($value, $delim); } function snort_get_blocked_ips() { @@ -318,9 +329,8 @@ function snort_build_list($snortcfg, $listname = "", $whitelist = false) { $wandns = $list['wandnsips']; $vips = $list['vips']; $vpns = $list['vpnips']; - if (!empty($list['address']) && is_alias($list['address'])) { + if (!empty($list['address']) && is_alias($list['address'])) $home_net = explode(" ", trim(filter_expand_alias($list['address']))); - } } /* Always add loopback to HOME_NET and whitelist (ftphelper) */ @@ -573,7 +583,7 @@ function snort_reload_config($snortcfg, $signal="SIGHUP") { /* can find a valid PID for the process. */ /******************************************************/ if (file_exists("{$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid") && isvalidpid("{$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid")) { - log_error("[Snort] Snort RELOAD CONFIG for {$snortcfg['descr']}({$if_real})..."); + log_error("[Snort] Snort RELOAD CONFIG for {$snortcfg['descr']} ({$if_real})..."); exec("/bin/pkill -{$signal} -F {$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid 2>&1 &"); } } @@ -661,78 +671,6 @@ function snort_post_delete_logs($snort_uuid = 0) { } } -function snort_postinstall() { - global $config, $g, $rebuild_rules, $pkg_interface, $snort_gui_include; - - $snortdir = SNORTDIR; - $snortlibdir = SNORTLIBDIR; - $rcdir = RCFILEPREFIX; - - /* Set flag for post-install in progress */ - $g['snort_postinstall'] = true; - - /* cleanup default files */ - @rename("{$snortdir}/snort.conf-sample", "{$snortdir}/snort.conf"); - @rename("{$snortdir}/threshold.conf-sample", "{$snortdir}/threshold.conf"); - @rename("{$snortdir}/sid-msg.map-sample", "{$snortdir}/sid-msg.map"); - @rename("{$snortdir}/unicode.map-sample", "{$snortdir}/unicode.map"); - @rename("{$snortdir}/classification.config-sample", "{$snortdir}/classification.config"); - @rename("{$snortdir}/generators-sample", "{$snortdir}/generators"); - @rename("{$snortdir}/reference.config-sample", "{$snortdir}/reference.config"); - @rename("{$snortdir}/gen-msg.map-sample", "{$snortdir}/gen-msg.map"); - - /* fix up the preprocessor rules filenames from a PBI package install */ - $preproc_rules = array("decoder.rules", "preprocessor.rules", "sensitive-data.rules"); - foreach ($preproc_rules as $file) { - if (file_exists("{$snortdir}/preproc_rules/{$file}-sample")) - @rename("{$snortdir}/preproc_rules/{$file}-sample", "{$snortdir}/preproc_rules/{$file}"); - } - - /* Remove any previously installed scripts since we rebuild them */ - @unlink("{$snortdir}/sid"); - @unlink("{$rcdir}/snort.sh"); - @unlink("{$rcdir}/barnyard2"); - - /* remove example library files */ - $files = glob("{$snortlibdir}/dynamicrules/*_example*"); - foreach ($files as $f) - @unlink($f); - $files = glob("{$snortlibdir}/dynamicpreprocessor/*_example*"); - foreach ($files as $f) - @unlink($f); - - /* remake saved settings */ - if ($config['installedpackages']['snortglobal']['forcekeepsettings'] == 'on') { - log_error(gettext("[Snort] Saved settings detected... rebuilding installation with saved settings...")); - update_status(gettext("Saved settings detected...")); - update_output_window(gettext("Please wait... rebuilding installation with saved settings...")); - log_error(gettext("[Snort] Downloading and updating configured rule types...")); - update_output_window(gettext("Please wait... downloading and updating configured rule types...")); - if ($pkg_interface <> "console") - $snort_gui_include = true; - @include_once("/usr/local/pkg/snort/snort_check_for_rule_updates.php"); - update_status(gettext("Generating snort.conf configuration file from saved settings...")); - $rebuild_rules = true; - sync_snort_package_config(); - $rebuild_rules = false; - update_output_window(gettext("Finished rebuilding files...")); - log_error(gettext("[Snort] Finished rebuilding installation from saved settings...")); - - /* Only try to start Snort if not in reboot */ - if (!$g['booting']) { - update_status(gettext("Starting Snort using rebuilt configuration...")); - update_output_window(gettext("Please wait... while Snort is started...")); - log_error(gettext("[Snort] Starting Snort using rebuilt configuration...")); - update_output_window(gettext("Snort has been started using the rebuilt configuration...")); - start_service("snort"); - } - } - - /* Done with post-install, so clear flag */ - unset($g['snort_postinstall']); - log_error(gettext("[Snort] Package post-installation tasks completed...")); -} - function snort_Getdirsize($node) { if(!is_readable($node)) return false; @@ -761,7 +699,6 @@ function snort_snortloglimit_install_cron($should_install) { switch($should_install) { case true: if(!$is_installed) { - $cron_item = array(); $cron_item['minute'] = "*/5"; $cron_item['hour'] = "*"; @@ -798,6 +735,22 @@ function snort_rm_blocked_install_cron($should_install) { } $snort_rm_blocked_info_ck = $config['installedpackages']['snortglobal']['rm_blocked']; + if ($snort_rm_blocked_info_ck == "15m_b") { + $snort_rm_blocked_min = "*/2"; + $snort_rm_blocked_hr = "*"; + $snort_rm_blocked_mday = "*"; + $snort_rm_blocked_month = "*"; + $snort_rm_blocked_wday = "*"; + $snort_rm_blocked_expire = "900"; + } + if ($snort_rm_blocked_info_ck == "30m_b") { + $snort_rm_blocked_min = "*/5"; + $snort_rm_blocked_hr = "*"; + $snort_rm_blocked_mday = "*"; + $snort_rm_blocked_month = "*"; + $snort_rm_blocked_wday = "*"; + $snort_rm_blocked_expire = "1800"; + } if ($snort_rm_blocked_info_ck == "1h_b") { $snort_rm_blocked_min = "*/5"; $snort_rm_blocked_hr = "*"; @@ -1047,13 +1000,13 @@ function snort_build_sid_msg_map($rules_path, $sid_file) { /* sid-msg.map file for use by Snort and/or barnyard2. */ /*************************************************************/ - $sidMap = array(); + $sidMap = array(); $rule_files = array(); - /* First check if we were passed a directory, a single file */ - /* or an array of filenames to read. Set our $rule_files */ - /* variable accordingly. If we can't figure it out, return */ - /* and don't write a sid_msg_map file. */ + /* First check if we were passed a directory, a single file */ + /* or an array of filenames to read. Set our $rule_files */ + /* variable accordingly. If we can't figure it out, return */ + /* and don't write a sid_msg_map file. */ if (is_string($rules_path)) { if (is_dir($rules_path)) $rule_files = glob($rules_path . "*.rules"); @@ -1065,71 +1018,71 @@ function snort_build_sid_msg_map($rules_path, $sid_file) { else return; - /* Read the rule files into an array, then iterate the list */ - foreach ($rule_files as $file) { + /* Read the rule files into an array, then iterate the list */ + foreach ($rule_files as $file) { - /* Don't process files with "deleted" in the filename */ - if (stristr($file, "deleted")) - continue; + /* Don't process files with "deleted" in the filename */ + if (stristr($file, "deleted")) + continue; - /* Read the file into an array, skipping missing files. */ - if (!file_exists($file)) + /* Read the file into an array, skipping missing files. */ + if (!file_exists($file)) continue; - $rules_array = file($file, FILE_SKIP_EMPTY_LINES); - $record = ""; - $b_Multiline = false; - - /* Read and process each line from the rules in the */ - /* current file. */ - foreach ($rules_array as $rule) { - - /* Skip any non-rule lines unless we're in */ - /* multiline mode. */ - if (!preg_match('/^\s*#*\s*(alert|drop|pass)/i', $rule) && !$b_Multiline) - continue; - - /* Test for a multi-line rule, and reassemble the */ - /* pieces back into a single line. */ - if (preg_match('/\\\\s*[\n]$/m', $rule)) { - $rule = substr($rule, 0, strrpos($rule, '\\')); - $record .= $rule; - $b_Multiline = true; - continue; - } - /* If the last segment of a multiline rule, then */ - /* append it onto the previous parts to form a */ - /* single-line rule for further processing below. */ - elseif (!preg_match('/\\\\s*[\n]$/m', $rule) && $b_Multiline) { - $record .= $rule; - $rule = $record; - } - $b_Multiline = false; - $record = ""; - - /* Parse the rule to find sid and any references. */ - $sid = ''; - $msg = ''; - $matches = ''; - $sidEntry = ''; - if (preg_match('/\bmsg\s*:\s*"(.+?)"\s*;/i', $rule, $matches)) - $msg = trim($matches[1]); - if (preg_match('/\bsid\s*:\s*(\d+)\s*;/i', $rule, $matches)) - $sid = trim($matches[1]); - if (!empty($sid) && !empty($msg)) { - $sidEntry = $sid . ' || ' . $msg; - preg_match_all('/\breference\s*:\s*([^\;]+)/i', $rule, $matches); - foreach ($matches[1] as $ref) - $sidEntry .= " || " . trim($ref); - $sidEntry .= "\n"; - $sidMap[$sid] = $sidEntry; - } - } + $rules_array = file($file, FILE_SKIP_EMPTY_LINES); + $record = ""; + $b_Multiline = false; + + /* Read and process each line from the rules in the current file */ + foreach ($rules_array as $rule) { + + /* Skip any non-rule lines unless we're in multiline mode. */ + if (!preg_match('/^\s*#*\s*(alert|drop|pass)/i', $rule) && !$b_Multiline) + continue; + + /* Test for a multi-line rule, and reassemble the */ + /* pieces back into a single line. */ + if (preg_match('/\\\\s*[\n]$/m', $rule)) { + $rule = substr($rule, 0, strrpos($rule, '\\')); + $record .= $rule; + $b_Multiline = true; + continue; + } + /* If the last segment of a multiline rule, then */ + /* append it onto the previous parts to form a */ + /* single-line rule for further processing below. */ + elseif (!preg_match('/\\\\s*[\n]$/m', $rule) && $b_Multiline) { + $record .= $rule; + $rule = $record; + } + $b_Multiline = false; + $record = ""; + + /* Parse the rule to find sid and any references. */ + $sid = ''; + $msg = ''; + $matches = ''; + $sidEntry = ''; + if (preg_match('/\bmsg\s*:\s*"(.+?)"\s*;/i', $rule, $matches)) + $msg = trim($matches[1]); + if (preg_match('/\bsid\s*:\s*(\d+)\s*;/i', $rule, $matches)) + $sid = trim($matches[1]); + if (!empty($sid) && !empty($msg)) { + $sidEntry = $sid . ' || ' . $msg; + preg_match_all('/\breference\s*:\s*([^\;]+)/i', $rule, $matches); + foreach ($matches[1] as $ref) + $sidEntry .= " || " . trim($ref); + $sidEntry .= "\n"; + if (!is_array($sidMap[$sid])) + $sidMap[$sid] = array(); + $sidMap[$sid] = $sidEntry; + } + } } - /* Sort the generated sid-msg map by sid */ - ksort($sidMap); + /* Sort the generated sid-msg map by sid */ + ksort($sidMap); - /* Now print the result to the supplied file */ + /* Now print the result to the supplied file */ @file_put_contents($sid_file, array_values($sidMap)); } @@ -1154,8 +1107,11 @@ function snort_merge_reference_configs($cfg_in, $cfg_out) { if (preg_match('/(\:)\s*(\w+)\s*(.*)/', $line, $matches)) { if (!empty($matches[2]) && !empty($matches[3])) { $matches[2] = trim($matches[2]); - if (!array_key_exists($matches[2], $outMap)) + if (!array_key_exists($matches[2], $outMap)) { + if (!is_array($outMap[$matches[2]])) + $outMap[$matches[2]] = array(); $outMap[$matches[2]] = trim($matches[3]); + } } } } @@ -1199,8 +1155,11 @@ function snort_merge_classification_configs($cfg_in, $cfg_out) { continue; if (!empty($matches[2]) && !empty($matches[3]) && !empty($matches[4])) { $matches[2] = trim($matches[2]); - if (!array_key_exists($matches[2], $outMap)) + if (!array_key_exists($matches[2], $outMap)) { + if (!is_array($outMap[$matches[2]])) + $outMap[$matches[2]] = array(); $outMap[$matches[2]] = trim($matches[3]) . "," . trim($matches[4]); + } } } } @@ -1463,8 +1422,11 @@ function snort_get_checked_flowbits($rules_map) { if ($action == "isset" || $action == "isnotset") { $target = preg_split('/[&|]/', substr($flowbit, $pos + 1)); foreach ($target as $t) - if (!empty($t) && !isset($checked_flowbits[$t])) + if (!empty($t) && !isset($checked_flowbits[$t])) { + if (!is_array($checked_flowbits[$t])) + $checked_flowbits[$t] = array(); $checked_flowbits[$t] = $action; + } } } } @@ -1504,8 +1466,11 @@ function snort_get_set_flowbits($rules_map) { if ($action == "set" || $action == "toggle" || $action == "setx") { $target = preg_split('/[&|]/', substr($flowbit, $pos + 1)); foreach ($target as $t) - if (!empty($t) && !isset($set_flowbits[$t])) + if (!empty($t) && !isset($set_flowbits[$t])) { + if (!is_array($set_flowbits[$t])) + $set_flowbits[$t] = array(); $set_flowbits[$t] = $action; + } } } } @@ -1584,7 +1549,7 @@ function snort_resolve_flowbits($rules, $active_rules) { $snortdir = SNORTDIR; - /* Check $all_rules array to be sure it is filled. */ + /* Check $rules array to be sure it is filled. */ if (empty($rules)) { log_error(gettext("[Snort] WARNING: Flowbit resolution not done - no rules in {$snortdir}/rules/ ...")); return array(); @@ -1643,7 +1608,7 @@ function snort_write_flowbit_rules_file($flowbit_rules, $rule_file) { $fp = fopen($rule_file, "w"); if ($fp) { @fwrite($fp, "# These rules set flowbits checked by your other enabled rules. If the\n"); - @fwrite($fp, "# the dependent flowbits are not set, then some of your chosen rules may\n"); + @fwrite($fp, "# dependent flowbits are not set, then some of your chosen rules may\n"); @fwrite($fp, "# not fire. Enabling all rules that set these dependent flowbits ensures\n"); @fwrite($fp, "# your chosen rules fire as intended.\n#\n"); @fwrite($fp, "# If you wish to prevent alerts from any of these rules, add the GID:SID\n"); @@ -1791,8 +1756,11 @@ function snort_load_sid_mods($sids, $value) { return $result; $tmp = explode("||", $sids); foreach ($tmp as $v) { - if (preg_match('/\s\d+/', $v, $match)) + if (preg_match('/\s\d+/', $v, $match)) { + if (!is_array($result[trim($match[0])])) + $result[trim($match[0])] = array(); $result[trim($match[0])] = trim($match[0]); + } } unset($tmp); @@ -1849,12 +1817,12 @@ function snort_modify_sids(&$rule_map, $snortcfg) { function snort_create_rc() { - /*********************************************************/ - /* This function builds the /usr/local/etc/rc.d/snort.sh */ - /* shell script for starting and stopping Snort. The */ - /* script is rebuilt on each package sync operation and */ - /* after any changes to snort.conf saved in the GUI. */ - /*********************************************************/ +/*********************************************************/ +/* This function builds the /usr/local/etc/rc.d/snort.sh */ +/* shell script for starting and stopping Snort. The */ +/* script is rebuilt on each package sync operation and */ +/* after any changes to snort.conf saved in the GUI. */ +/*********************************************************/ global $config, $g; @@ -2137,19 +2105,23 @@ function snort_deinstall() { /* Log a message only if a running process is detected */ if (is_service_running("snort")) log_error(gettext("[Snort] Snort STOP for all interfaces...")); - mwexec('/usr/bin/killall snort', true); + mwexec('/usr/bin/killall -z snort', true); sleep(2); mwexec('/usr/bin/killall -9 snort', true); sleep(2); + // Delete any leftover snort PID files in /var/run + array_map('@unlink', glob("/var/run/snort_*.pid")); /* Make sure all active Barnyard2 processes are terminated */ /* Log a message only if a running process is detected */ if (is_service_running("barnyard2")) log_error(gettext("[Snort] Barnyard2 STOP for all interfaces...")); - mwexec('/usr/bin/killall barnyard2', true); + mwexec('/usr/bin/killall -z barnyard2', true); sleep(2); mwexec('/usr/bin/killall -9 barnyard2', true); sleep(2); + // Delete any leftover barnyard2 PID files in /var/run + array_map('@unlink', glob("/var/run/barnyard2_*.pid")); /* Remove the snort user and group */ mwexec('/usr/sbin/pw userdel snort; /usr/sbin/pw groupdel snort', true); @@ -2562,6 +2534,8 @@ function snort_generate_conf($snortcfg) { /* user added arguments */ $snort_config_pass_thru = str_replace("\r", "", base64_decode($snortcfg['configpassthru'])); + // Remove the trailing newline + $snort_config_pass_thru = rtrim($snort_config_pass_thru); /* create a few directories and ensure the sample files are in place */ $snort_dirs = array( $snortdir, $snortcfgdir, "{$snortcfgdir}/rules", @@ -2638,14 +2612,15 @@ function snort_generate_conf($snortcfg) { $ssh_port = $config['system']['ssh']['port']; else $ssh_port = "22"; + + /* Define an array of default values for the various preprocessor ports */ $snort_ports = array( - "dns_ports" => "53", "smtp_ports" => "25", "mail_ports" => "25,143,465,691", - "http_ports" => "36,80,81,82,83,84,85,86,87,88,89,90,311,383,591,593,631,901,1220,1414,1741,1830,2301,2381,2809,3037,3057,3128,3443,3702,4343,4848,5250,6080,6988,7000,7001,7144,7145,7510,7777,7779,8000,8008,8014,8028,8080,8085,8088,8090,8118,8123,8180,8181,8222,8243,8280,8300,8500,8800,8888,8899,9000,9060,9080,9090,9091,9443,9999,10000,11371,34443,34444,41080,50000,50002,55555", - "oracle_ports" => "1024:", "mssql_ports" => "1433", - "telnet_ports" => "23","snmp_ports" => "161", "ftp_ports" => "21,2100,3535", - "ssh_ports" => $ssh_port, "pop2_ports" => "109", "pop3_ports" => "110", - "imap_ports" => "143", "sip_proxy_ports" => "5060:5090,16384:32768", - "sip_ports" => "5060,5061, 5600", "auth_ports" => "113", "finger_ports" => "79", + "dns_ports" => "53", "smtp_ports" => "25", "mail_ports" => "25,465,587,691", + "http_ports" => "36,80,81,82,83,84,85,86,87,88,89,90,311,383,591,593,631,901,1220,1414,1533,1741,1830,2301,2381,2809,3037,3057,3128,3443,3702,4343,4848,5250,6080,6988,7000,7001,7144,7145,7510,7777,7779,8000,8008,8014,8028,8080,8081,8082,8085,8088,8090,8118,8123,8180,8181,8222,8243,8280,8300,8500,8800,8888,8899,9000,9060,9080,9090,9091,9443,9999,10000,11371,15489,29991,33300,34412,34443,34444,41080,44440,50000,50002,51423,55555,56712", + "oracle_ports" => "1024:", "mssql_ports" => "1433", "telnet_ports" => "23", + "snmp_ports" => "161", "ftp_ports" => "21,2100,3535", "ssh_ports" => $ssh_port, + "pop2_ports" => "109", "pop3_ports" => "110", "imap_ports" => "143", + "sip_ports" => "5060,5061,5600", "auth_ports" => "113", "finger_ports" => "79", "irc_ports" => "6665,6666,6667,6668,6669,7000", "smb_ports" => "139,445", "nntp_ports" => "119", "rlogin_ports" => "513", "rsh_ports" => "514", "ssl_ports" => "443,465,563,636,989,992,993,994,995,7801,7802,7900,7901,7902,7903,7904,7905,7906,7907,7908,7909,7910,7911,7912,7913,7914,7915,7916,7917,7918,7919,7920", @@ -2658,6 +2633,7 @@ function snort_generate_conf($snortcfg) { "GTP_PORTS" => "2123,2152,3386" ); + /* Check for defined Aliases that may override default port settings as we build the portvars array */ $portvardef = ""; foreach ($snort_ports as $alias => $avalue) { if (!empty($snortcfg["def_{$alias}"]) && is_alias($snortcfg["def_{$alias}"])) @@ -2666,6 +2642,23 @@ function snort_generate_conf($snortcfg) { $portvardef .= "portvar " . strtoupper($alias) . " [" . $snort_ports[$alias] . "]\n"; } + /* Define the default ports for the Stream5 preprocessor (formatted for easier reading in the snort.conf file) */ + $stream5_ports_client = "21 22 23 25 42 53 70 79 109 110 111 113 119 135 136 137 \\\n"; + $stream5_ports_client .= "\t 139 143 161 445 513 514 587 593 691 1433 1521 1741 \\\n"; + $stream5_ports_client .= "\t 2100 3306 6070 6665 6666 6667 6668 6669 7000 8181 \\\n"; + $stream5_ports_client .= "\t 32770 32771 32772 32773 32774 32775 32776 32777 \\\n"; + $stream5_ports_client .= "\t 32778 32779"; + $stream5_ports_both = "80 81 82 83 84 85 86 87 88 89 90 110 311 383 443 465 563 \\\n"; + $stream5_ports_both .= "\t 591 593 631 636 901 989 992 993 994 995 1220 1414 1533 \\\n"; + $stream5_ports_both .= "\t 1830 2301 2381 2809 3037 3057 3128 3443 3702 4343 4848 \\\n"; + $stream5_ports_both .= "\t 5250 6080 6988 7907 7000 7001 7144 7145 7510 7802 7777 \\\n"; + $stream5_ports_both .= "\t 7779 7801 7900 7901 7902 7903 7904 7905 7906 7908 7909 \\\n"; + $stream5_ports_both .= "\t 7910 7911 7912 7913 7914 7915 7916 7917 7918 7919 7920 \\\n"; + $stream5_ports_both .= "\t 8000 8008 8014 8028 8080 8081 8082 8085 8088 8090 8118 \\\n"; + $stream5_ports_both .= "\t 8123 8180 8222 8243 8280 8300 8500 8800 8888 8899 9000 \\\n"; + $stream5_ports_both .= "\t 9060 9080 9090 9091 9443 9999 10000 11371 15489 29991 \\\n"; + $stream5_ports_both .= "\t 33300 34412 34443 34444 41080 44440 50000 50002 51423 \\\n"; + $stream5_ports_both .= "\t 55555 56712"; ///////////////////////////// /* preprocessor code */ @@ -2676,106 +2669,220 @@ preprocessor perfmonitor: time 300 file {$snortlogdir}/snort_{$if_real}{$snort_u EOD; - /* Pull in the user-configurable HTTP_INSPECT global preprocessor options */ - $http_inspect_memcap = "150994944"; - if (!empty($snortcfg['http_inspect_memcap'])) - $http_inspect_memcap = $snortcfg['http_inspect_memcap']; - - /* Pull in the user-configurable HTTP_INSPECT server preprocessor options */ - $server_flow_depth = '300'; - if ((!empty($snortcfg['server_flow_depth'])) || ($snortcfg['server_flow_depth'] == '0')) - $server_flow_depth = $snortcfg['server_flow_depth']; - $http_server_profile = "all"; - if (!empty($snortcfg['http_server_profile'])) - $http_server_profile = $snortcfg['http_server_profile']; - $client_flow_depth = '300'; - if ((!empty($snortcfg['client_flow_depth'])) || ($snortcfg['client_flow_depth'] == '0')) - $client_flow_depth = $snortcfg['client_flow_depth']; - if ($snortcfg['noalert_http_inspect'] == 'on' || empty($snortcfg['noalert_http_inspect'])) - $noalert_http_inspect = "no_alerts"; + /* def ftp_preprocessor */ + $telnet_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['telnet_ports'])); + $ftp_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['ftp_ports'])); + + // Configure FTP_Telnet global options + $ftp_telnet_globals = "inspection_type "; + if ($snortcfg['ftp_telnet_inspection_type'] != "") { $ftp_telnet_globals .= $snortcfg['ftp_telnet_inspection_type']; }else{ $ftp_telnet_globals .= "stateful"; } + if ($snortcfg['ftp_telnet_alert_encrypted'] == "on") + $ftp_telnet_globals .= " \\\n\tencrypted_traffic yes"; else - $noalert_http_inspect = ""; - $http_inspect_server_opts = "enable_cookie \\\n\textended_response_inspection \\\n\tnormalize_javascript \\\n"; - $http_inspect_server_opts .= "\tinspect_gzip \\\n\tnormalize_utf \\\n\tunlimited_decompress \\\n"; - $http_inspect_server_opts .= "\tnormalize_headers \\\n\tnormalize_cookies"; - if ($snortcfg['http_inspect_enable_xff'] == "on") - $http_inspect_server_opts .= " \\\n\tenable_xff"; - - /* If Stream5 is enabled, then we can enable the "log_uri" and "log_hostname" options */ - if ($snortcfg['stream5_reassembly'] == "on") { - if ($snortcfg['http_inspect_log_uri'] == "on") - $http_inspect_server_opts .= " \\\n\tlog_uri"; - if ($snortcfg['http_inspect_log_hostname'] == "on") - $http_inspect_server_opts .= " \\\n\tlog_hostname"; - } + $ftp_telnet_globals .= " \\\n\tencrypted_traffic no"; + if ($snortcfg['ftp_telnet_check_encrypted'] == "on") + $ftp_telnet_globals .= " \\\n\tcheck_encrypted"; + + // Configure FTP_Telnet Telnet protocol options + $ftp_telnet_protocol = "ports { {$telnet_ports} }"; + if ($snortcfg['ftp_telnet_normalize'] == "on") + $ftp_telnet_protocol .= " \\\n\tnormalize"; + if ($snortcfg['ftp_telnet_detect_anomalies'] == "on") + $ftp_telnet_protocol .= " \\\n\tdetect_anomalies"; + if ($snortcfg['ftp_telnet_ayt_attack_threshold'] <> '0') { + $ftp_telnet_protocol .= " \\\n\tayt_attack_thresh "; + if ($snortcfg['ftp_telnet_ayt_attack_threshold'] != "") + $ftp_telnet_protocol .= $snortcfg['ftp_telnet_ayt_attack_threshold']; + else + $ftp_telnet_protocol .= "20"; + } + + // Setup the standard FTP commands used for all FTP Server engines + $ftp_cmds = << \ + cmd_validity STRU < char FRP > \ + cmd_validity ALLO < int [ char R int ] > \ + cmd_validity TYPE < { char AE [ char NTC ] | char I | char L [ number ] } > \ + cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \ + cmd_validity PORT < host_port > - $http_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['http_ports'])); +EOD; - /* def http_inspect */ - $http_inspect = << "default", "bind_to" => "all", "max_resp_len" => 256, + "telnet_cmds" => "no", "ignore_telnet_erase_cmds" => "yes", + "bounce" => "yes", "bounce_to_net" => "", "bounce_to_port" => "" ); + + if (!is_array($snortcfg['ftp_client_engine']['item'])) + $snortcfg['ftp_client_engine']['item'] = array(); + + // If no FTP client engine is configured, use the default + // to keep from breaking Snort. + if (empty($snortcfg['ftp_client_engine']['item'])) + $snortcfg['ftp_client_engine']['item'][] = $ftp_default_client_engine; + $ftp_client_engine = ""; + + foreach ($snortcfg['ftp_client_engine']['item'] as $f => $v) { + $buffer = "preprocessor ftp_telnet_protocol: ftp client "; + if ($v['name'] == "default" && $v['bind_to'] == "all") + $buffer .= "default \\\n"; + elseif (is_alias($v['bind_to'])) { + $tmp = trim(filter_expand_alias($v['bind_to'])); + if (!empty($tmp)) { + $tmp = preg_replace('/\s+/', ' ', $tmp); + $buffer .= "{$tmp} \\\n"; + } + else { + log_error("[snort] ERROR: unable to resolve IP Address Alias '{$v['bind_to']}' for FTP client '{$v['name']}' ... skipping entry."); + continue; + } + } + else { + log_error("[snort] ERROR: unable to resolve IP Address Alias '{$v['bind_to']}' for FTP client '{$v['name']}' ... skipping entry."); + continue; + } -preprocessor http_inspect_server: server default profile {$http_server_profile} {$noalert_http_inspect} \ - ports { {$http_ports} } \ - http_methods { GET POST PUT SEARCH MKCOL COPY MOVE LOCK UNLOCK NOTIFY POLL BCOPY BDELETE BMOVE LINK UNLINK OPTIONS HEAD DELETE TRACE TRACK CONNECT SOURCE SUBSCRIBE UNSUBSCRIBE PROPFIND PROPPATCH BPROPFIND BPROPPATCH RPC_CONNECT PROXY_SUCCESS BITS_POST CCM_POST SMS_POST RPC_IN_DATA RPC_OUT_DATA RPC_ECHO_DATA } \ - server_flow_depth {$server_flow_depth} \ - client_flow_depth {$client_flow_depth} \ - {$http_inspect_server_opts} + if ($v['max_resp_len'] == "") + $buffer .= "\tmax_resp_len 256 \\\n"; + else + $buffer .= "\tmax_resp_len {$v['max_resp_len']} \\\n"; + + $buffer .= "\ttelnet_cmds {$v['telnet_cmds']} \\\n"; + $buffer .= "\tignore_telnet_erase_cmds {$v['ignore_telnet_erase_cmds']} \\\n"; + + if ($v['bounce'] == "yes") { + if (is_alias($v['bounce_to_net']) && is_alias($v['bounce_to_port'])) { + $net = trim(filter_expand_alias($v['bounce_to_net'])); + $port = trim(filter_expand_alias($v['bounce_to_port'])); + if (!empty($net) && !empty($port) && + snort_is_single_addr_alias($v['bounce_to_net']) && + (is_port($port) || is_portrange($port))) { + $port = preg_replace('/\s+/', ',', $port); + // Change port range delimiter to comma for ftp_telnet client preprocessor + if (is_portrange($port)) + $port = str_replace(":", ",", $port); + $buffer .= "\tbounce yes \\\n"; + $buffer .= "\tbounce_to { {$net},{$port} }\n"; + } + else { + // One or both of the BOUNCE_TO alias values is not right, + // so figure out which and log an appropriate error. + if (empty($net) || !snort_is_single_addr_alias($v['bounce_to_net'])) + log_error("[snort] ERROR: illegal value for bounce_to Address Alias [{$v['bounce_to_net']}] for FTP client engine [{$v['name']}] ... omitting 'bounce_to' option for this client engine."); + if (empty($port) || !(is_port($port) || is_portrange($port))) + log_error("[snort] ERROR: illegal value for bounce_to Port Alias [{$v['bounce_to_port']}] for FTP client engine [{$v['name']}] ... omitting 'bounce_to' option for this client engine."); + $buffer .= "\tbounce yes\n"; + } + } + else + $buffer .= "\tbounce yes\n"; + } + else + $buffer .= "\tbounce no\n"; + + // Add this FTP client engine to the master string + $ftp_client_engine .= "{$buffer}\n"; + } + // Trim final trailing newline + rtrim($ftp_client_engine); + + // Iterate and configure the FTP Server engines + $ftp_default_server_engine = array( "name" => "default", "bind_to" => "all", "ports" => "default", + "telnet_cmds" => "no", "ignore_telnet_erase_cmds" => "yes", + "ignore_data_chan" => "no", "def_max_param_len" => 100 ); + + if (!is_array($snortcfg['ftp_server_engine']['item'])) + $snortcfg['ftp_server_engine']['item'] = array(); + + // If no FTP server engine is configured, use the default + // to keep from breaking Snort. + if (empty($snortcfg['ftp_server_engine']['item'])) + $snortcfg['ftp_server_engine']['item'][] = $ftp_default_server_engine; + $ftp_server_engine = ""; + + foreach ($snortcfg['ftp_server_engine']['item'] as $f => $v) { + $buffer = "preprocessor ftp_telnet_protocol: ftp server "; + if ($v['name'] == "default" && $v['bind_to'] == "all") + $buffer .= "default \\\n"; + elseif (is_alias($v['bind_to'])) { + $tmp = trim(filter_expand_alias($v['bind_to'])); + if (!empty($tmp)) { + $tmp = preg_replace('/\s+/', ' ', $tmp); + $buffer .= "{$tmp} \\\n"; + } + else { + log_error("[snort] ERROR: unable to resolve IP Address Alias '{$v['bind_to']}' for FTP server '{$v['name']}' ... skipping entry."); + continue; + } + } + else { + log_error("[snort] ERROR: unable to resolve IP Address Alias '{$v['bind_to']}' for FTP server '{$v['name']}' ... skipping entry."); + continue; + } -EOD; + if ($v['def_max_param_len'] == "") + $buffer .= "\tdef_max_param_len 100 \\\n"; + elseif ($v['def_max_param_len'] <> '0') + $buffer .= "\tdef_max_param_len {$v['def_max_param_len']} \\\n"; + + if ($v['ports'] == "default" || !is_alias($v['ports']) || empty($v['ports'])) + $buffer .= "\tports { {$ftp_ports} } \\\n"; + elseif (is_alias($v['ports'])) { + $tmp = trim(filter_expand_alias($v['ports'])); + if (!empty($tmp)) { + $tmp = preg_replace('/\s+/', ' ', $tmp); + $tmp = snort_expand_port_range($tmp, ' '); + $buffer .= "\tports { {$tmp} } \\\n"; + } + else { + log_error("[snort] ERROR: unable to resolve Port Alias '{$v['ports']}' for FTP server '{$v['name']}' ... reverting to defaults."); + $buffer .= "\tports { {$ftp_ports} } \\\n"; + } + } + + $buffer .= "\ttelnet_cmds {$v['telnet_cmds']} \\\n"; + $buffer .= "\tignore_telnet_erase_cmds {$v['ignore_telnet_erase_cmds']} \\\n"; + if ($v['ignore_data_chan'] == "yes") + $buffer .= "\tignore_data_chan yes \\\n"; + $buffer .= "{$ftp_cmds}\n"; + + // Add this FTP server engine to the master string + $ftp_server_engine .= $buffer; + } + // Remove trailing newlines + rtrim($ftp_server_engine); - /* def ftp_preprocessor */ - $telnet_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['telnet_ports'])); - $ftp_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['ftp_ports'])); $ftp_preprocessor = << \ - cmd_validity STRU < char FRP > \ - cmd_validity ALLO < int [ char R int ] > \ - cmd_validity TYPE < { char AE [ char NTC ] | char I | char L [ number ] } > \ - cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \ - cmd_validity PORT < host_port > - -preprocessor ftp_telnet_protocol: ftp client default \ - max_resp_len 256 \ - bounce yes \ - ignore_telnet_erase_cmds yes \ - telnet_cmds yes - + {$ftp_telnet_protocol} + +{$ftp_server_engine} +{$ftp_client_engine} EOD; $pop_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['pop3_ports'])); @@ -2783,7 +2890,7 @@ EOD; # POP preprocessor # preprocessor pop: \ ports { {$pop_ports} } \ - memcap 1310700 \ + memcap 1310700 \ qp_decode_depth 0 \ b64_decode_depth 0 \ bitenc_decode_depth 0 @@ -2795,7 +2902,7 @@ EOD; # IMAP preprocessor # preprocessor imap: \ ports { {$imap_ports} } \ - memcap 1310700 \ + memcap 1310700 \ qp_decode_depth 0 \ b64_decode_depth 0 \ bitenc_decode_depth 0 @@ -2807,35 +2914,37 @@ EOD; $smtp_preprocessor = << "\$HOME_NET", "smtp_servers" => "\$HOME_NET", "http_servers" => "\$HOME_NET", "www_servers" => "\$HOME_NET", "sql_servers" => "\$HOME_NET", "telnet_servers" => "\$HOME_NET", @@ -3015,13 +3141,15 @@ EOD; "aim_servers" => "64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24" ); - $vardef = ""; + // Change old name from "var" to new name of "ipvar" for IP variables because + // Snort is deprecating the old "var" name in newer versions. + $ipvardef = ""; foreach ($snort_servers as $alias => $avalue) { if (!empty($snortcfg["def_{$alias}"]) && is_alias($snortcfg["def_{$alias}"])) { $avalue = trim(filter_expand_alias($snortcfg["def_{$alias}"])); $avalue = preg_replace('/\s+/', ',', trim($avalue)); } - $vardef .= "var " . strtoupper($alias) . " [{$avalue}]\n"; + $ipvardef .= "ipvar " . strtoupper($alias) . " [{$avalue}]\n"; } $snort_preproc_libs = array( @@ -3031,7 +3159,7 @@ EOD; "ssl_preproc" => "ssl_preproc", "dnp3_preproc" => "dnp3_preproc", "modbus_preproc" => "modbus_preproc" ); $snort_preproc = array ( - "perform_stat", "http_inspect", "other_preprocs", "ftp_preprocessor", "smtp_preprocessor", "ssl_preproc", "sip_preproc", "gtp_preproc", "ssh_preproc", + "perform_stat", "other_preprocs", "ftp_preprocessor", "smtp_preprocessor", "ssl_preproc", "sip_preproc", "gtp_preproc", "ssh_preproc", "sf_portscan", "dce_rpc_2", "dns_preprocessor", "sensitive_data", "pop_preproc", "imap_preproc", "dnp3_preproc", "modbus_preproc" ); $default_disabled_preprocs = array( @@ -3065,6 +3193,8 @@ EOD; } } } + // Remove final trailing newline + $snort_preprocessors = rtrim($snort_preprocessors); $snort_misc_include_rules = ""; if (file_exists("{$snortcfgdir}/reference.config")) @@ -3106,6 +3236,10 @@ EOD; $selected_rules_sections .= "include \$RULE_PATH/{$flowbit_rules_file}\n"; $selected_rules_sections .= "include \$RULE_PATH/custom.rules\n"; + // Remove trailing newlines + $snort_misc_include_rules = rtrim($snort_misc_include_rules); + $selected_rules_sections = rtrim($selected_rules_sections); + /* Create the actual rules files and save in the interface directory */ snort_prepare_rule_files($snortcfg, $snortcfgdir); @@ -3123,83 +3257,247 @@ EOD; $cfg_detect_settings .= " no_stream_inserts"; /* Pull in user-configurable options for Frag3 preprocessor settings */ - $frag3_disabled = ""; - if ($snortcfg['frag3_detection'] == "off") - $frag3_disabled = ", disabled"; - $frag3_memcap = "memcap 4194304"; + /* Get global Frag3 options first and put into a string */ + $frag3_global = "preprocessor frag3_global: "; if (!empty($snortcfg['frag3_memcap']) || $snortcfg['frag3_memcap'] == "0") - $frag3_memcap = "memcap {$snortcfg['frag3_memcap']}"; - $frag3_max_frags = "max_frags 8192"; + $frag3_global .= "memcap {$snortcfg['frag3_memcap']}, "; + else + $frag3_global .= "memcap 4194304, "; if (!empty($snortcfg['frag3_max_frags'])) - $frag3_max_frags = "max_frags {$snortcfg['frag3_max_frags']}"; - $frag3_overlap_limit = "overlap_limit 0"; - if (!empty($snortcfg['frag3_overlap_limit'])) - $frag3_overlap_limit = "overlap_limit {$snortcfg['frag3_overlap_limit']}"; - $frag3_min_frag_len = "min_fragment_length 0"; - if (!empty($snortcfg['frag3_min_frag_len'])) - $frag3_min_frag_len = "min_fragment_length {$snortcfg['frag3_min_frag_len']}"; - $frag3_timeout = "timeout 60"; - if (!empty($snortcfg['frag3_timeout'])) - $frag3_timeout = "timeout {$snortcfg['frag3_timeout']}"; - $frag3_policy = "policy bsd"; - if (!empty($snortcfg['frag3_policy'])) - $frag3_policy = "policy {$snortcfg['frag3_policy']}"; - - /* Grab any user-customized value for Protocol Aware Flushing (PAF) max PDUs */ + $frag3_global .= "max_frags {$snortcfg['frag3_max_frags']}"; + else + $frag3_global .= "max_frags 8192"; + if ($snortcfg['frag3_detection'] == "off") + $frag3_global .= ", disabled"; + + $frag3_default_tcp_engine = array( "name" => "default", "bind_to" => "all", "policy" => "bsd", + "timeout" => 60, "min_ttl" => 1, "detect_anomalies" => "on", + "overlap_limit" => 0, "min_frag_len" => 0 ); + $frag3_engine = ""; + + // Now iterate configured Frag3 engines and write them to a string if enabled + if ($snortcfg['frag3_detection'] == "on") { + if (!is_array($snortcfg['frag3_engine']['item'])) + $snortcfg['frag3_engine']['item'] = array(); + + // If no frag3 tcp engine is configured, use the default + if (empty($snortcfg['frag3_engine']['item'])) + $snortcfg['frag3_engine']['item'][] = $frag3_default_tcp_engine; + + foreach ($snortcfg['frag3_engine']['item'] as $f => $v) { + $frag3_engine .= "preprocessor frag3_engine: "; + $frag3_engine .= "policy {$v['policy']}"; + if ($v['bind_to'] <> "all") { + $tmp = trim(filter_expand_alias($v['bind_to'])); + if (!empty($tmp)) { + $tmp = preg_replace('/\s+/', ',', $tmp); + if (strpos($tmp, ",") !== false) + $frag3_engine .= " \\\n\tbind_to [{$tmp}]"; + else + $frag3_engine .= " \\\n\tbind_to {$tmp}"; + } + else + log_error("[snort] WARNING: unable to resolve IP List Alias '{$v['bind_to']}' for Frag3 engine '{$v['name']}' ... using 0.0.0.0 failsafe."); + } + $frag3_engine .= " \\\n\ttimeout {$v['timeout']}"; + $frag3_engine .= " \\\n\tmin_ttl {$v['min_ttl']}"; + if ($v['detect_anomalies'] == "on") { + $frag3_engine .= " \\\n\tdetect_anomalies"; + $frag3_engine .= " \\\n\toverlap_limit {$v['overlap_limit']}"; + $frag3_engine .= " \\\n\tmin_fragment_length {$v['min_frag_len']}"; + } + // Add newlines to terminate this engine + $frag3_engine .= "\n\n"; + } + // Remove trailing newline + $frag3_engine = rtrim($frag3_engine); + } + + // Grab any user-customized value for Protocol Aware Flushing (PAF) max PDUs $paf_max_pdu_config = "config paf_max: "; - if (empty($snortcfg['max_paf']) || $snortcfg['max_paf'] == "0") + if (empty($snortcfg['max_paf']) || $snortcfg['max_paf'] == '0') $paf_max_pdu_config .= "0"; else $paf_max_pdu_config .= $snortcfg['max_paf']; - /* Pull in user-configurable options for Stream5 preprocessor settings */ - $stream5_reassembly = ""; + // Pull in user-configurable options for Stream5 preprocessor settings + // Get global options first and put into a string + $stream5_global = "preprocessor stream5_global: \\\n"; if ($snortcfg['stream5_reassembly'] == "off") - $stream5_reassembly = "disabled,"; - $stream5_track_tcp = "yes"; - if ($snortcfg['stream5_track_tcp'] =="off") - $stream5_track_tcp = "no"; - $stream5_track_udp = "yes"; - if ($snortcfg['stream5_track_udp'] =="off") - $stream5_track_udp = "no"; - $stream5_track_icmp = "no"; - if ($snortcfg['stream5_track_icmp'] =="on") - $stream5_track_icmp = "yes"; - $stream5_require_3whs = ""; - if ($snortcfg['stream5_require_3whs'] == "on") - $stream5_require_3whs = ", require_3whs 0"; - $stream5_no_reassemble_async = ""; - if ($snortcfg['stream5_no_reassemble_async'] == "on") - $stream5_no_reassemble_async = ", dont_reassemble_async"; - $stream5_dont_store_lg_pkts = ""; - if ($snortcfg['stream5_dont_store_lg_pkts'] == "on") - $stream5_dont_store_lg_pkts = ", dont_store_large_packets"; - $stream5_max_queued_bytes_type = ""; - if ((!empty($snortcfg['max_queued_bytes'])) || ($snortcfg['max_queued_bytes'] == '0')) - $stream5_max_queued_bytes_type = ", max_queued_bytes {$snortcfg['max_queued_bytes']}"; - $stream5_max_queued_segs_type = ""; - if ((!empty($snortcfg['max_queued_segs'])) || ($snortcfg['max_queued_segs'] == '0')) - $stream5_max_queued_segs_type = ", max_queued_segs {$snortcfg['max_queued_segs']}"; - $stream5_mem_cap = ""; + $stream5_global .= "\tdisabled, \\\n"; + if ($snortcfg['stream5_track_tcp'] == "off") + $stream5_global .= "\ttrack_tcp no,"; + else { + $stream5_global .= "\ttrack_tcp yes,"; + if (!empty($snortcfg['stream5_max_tcp'])) + $stream5_global .= " \\\n\tmax_tcp {$snortcfg['stream5_max_tcp']},"; + else + $stream5_global .= " \\\n\tmax_tcp 262144,"; + } + if ($snortcfg['stream5_track_udp'] == "off") + $stream5_global .= " \\\n\ttrack_udp no,"; + else { + $stream5_global .= " \\\n\ttrack_udp yes,"; + if (!empty($snortcfg['stream5_max_udp'])) + $stream5_global .= " \\\n\tmax_udp {$snortcfg['stream5_max_udp']},"; + else + $stream5_global .= " \\\n\tmax_udp 131072,"; + } + if ($snortcfg['stream5_track_icmp'] == "on") { + $stream5_global .= " \\\n\ttrack_icmp yes,"; + if (!empty($snortcfg['stream5_max_icmp'])) + $stream5_global .= " \\\n\tmax_icmp {$snortcfg['stream5_max_icmp']},"; + else + $stream5_global .= " \\\n\tmax_icmp 65536,"; + } + else + $stream5_global .= " \\\n\ttrack_icmp no,"; if (!empty($snortcfg['stream5_mem_cap'])) - $stream5_mem_cap = ", memcap {$snortcfg['stream5_mem_cap']}"; - $stream5_overlap_limit = "overlap_limit 0"; - if (!empty($snortcfg['stream5_overlap_limit'])) - $stream5_overlap_limit = "overlap_limit {$snortcfg['stream5_overlap_limit']}"; - $stream5_policy = "policy bsd"; - if (!empty($snortcfg['stream5_policy'])) - $stream5_policy = "policy {$snortcfg['stream5_policy']}"; - $stream5_tcp_timeout = "timeout 30"; - if (!empty($snortcfg['stream5_tcp_timeout'])) - $stream5_tcp_timeout = "timeout {$snortcfg['stream5_tcp_timeout']}"; - $stream5_udp_timeout = "timeout 30"; - if (!empty($snortcfg['stream5_udp_timeout'])) - $stream5_udp_timeout = "timeout {$snortcfg['stream5_udp_timeout']}"; - $stream5_icmp_timeout = "timeout 30"; - if (!empty($snortcfg['stream5_icmp_timeout'])) - $stream5_icmp_timeout = "timeout {$snortcfg['stream5_icmp_timeout']}"; - - /* Check for and configure Host Attribute Table if enabled */ + $stream5_global .= " \\\n\tmemcap {$snortcfg['stream5_mem_cap']},"; + else + $stream5_global .= " \\\n\tmemcap 8388608,"; + + if (!empty($snortcfg['stream5_prune_log_max']) || $snortcfg['stream5_prune_log_max'] == '0') + $stream5_global .= " \\\n\tprune_log_max {$snortcfg['stream5_prune_log_max']}"; + else + $stream5_global .= " \\\n\tprune_log_max 1048576"; + if ($snortcfg['stream5_flush_on_alert'] == "on") + $stream5_global .= ", \\\n\tflush_on_alert"; + + $stream5_default_tcp_engine = array( "name" => "default", "bind_to" => "all", "policy" => "bsd", "timeout" => 30, + "max_queued_bytes" => 1048576, "detect_anomalies" => "off", "overlap_limit" => 0, + "max_queued_segs" => 2621, "require_3whs" => "off", "startup_3whs_timeout" => 0, + "no_reassemble_async" => "off", "dont_store_lg_pkts" => "off", "max_window" => 0, + "use_static_footprint_sizes" => "off", "check_session_hijacking" => "off", "ports_client" => "default", + "ports_both" => "default", "ports_server" => "none" ); + $stream5_tcp_engine = ""; + + // Now iterate configured Stream5 TCP engines and write them to a string if enabled + if ($snortcfg['stream5_reassembly'] == "on") { + if (!is_array($snortcfg['stream5_tcp_engine']['item'])) + $snortcfg['stream5_tcp_engine']['item'] = array(); + + // If no stream5 tcp engine is configured, use the default + if (empty($snortcfg['stream5_tcp_engine']['item'])) + $snortcfg['stream5_tcp_engine']['item'][] = $stream5_default_tcp_engine; + + foreach ($snortcfg['stream5_tcp_engine']['item'] as $f => $v) { + $buffer = "preprocessor stream5_tcp: "; + $buffer .= "policy {$v['policy']},"; + if ($v['bind_to'] <> "all") { + $tmp = trim(filter_expand_alias($v['bind_to'])); + if (!empty($tmp)) { + $tmp = preg_replace('/\s+/', ',', $tmp); + if (strpos($tmp, ",") !== false) + $buffer .= " \\\n\tbind_to [{$tmp}],"; + else + $buffer .= " \\\n\tbind_to {$tmp},"; + } + else { + log_error("[snort] WARNING: unable to resolve IP Address Alias [{$v['bind_to']}] for Stream5 TCP engine '{$v['name']}' ... skipping this engine."); + continue; + } + } + $stream5_tcp_engine .= $buffer; + $stream5_tcp_engine .= " \\\n\ttimeout {$v['timeout']},"; + $stream5_tcp_engine .= " \\\n\toverlap_limit {$v['overlap_limit']},"; + $stream5_tcp_engine .= " \\\n\tmax_window {$v['max_window']},"; + $stream5_tcp_engine .= " \\\n\tmax_queued_bytes {$v['max_queued_bytes']},"; + $stream5_tcp_engine .= " \\\n\tmax_queued_segs {$v['max_queued_segs']}"; + if ($v['use_static_footprint_sizes'] == "on") + $stream5_tcp_engine .= ", \\\n\tuse_static_footprint_sizes"; + if ($v['check_session_hijacking'] == "on") + $stream5_tcp_engine .= ", \\\n\tcheck_session_hijacking"; + if ($v['dont_store_lg_pkts'] == "on") + $stream5_tcp_engine .= ", \\\n\tdont_store_large_packets"; + if ($v['no_reassemble_async'] == "on") + $stream5_tcp_engine .= ", \\\n\tdont_reassemble_async"; + if ($v['detect_anomalies'] == "on") + $stream5_tcp_engine .= ", \\\n\tdetect_anomalies"; + if ($v['require_3whs'] == "on") + $stream5_tcp_engine .= ", \\\n\trequire_3whs {$v['startup_3whs_timeout']}"; + if (!empty($v['ports_client'])) { + $stream5_tcp_engine .= ", \\\n\tports client"; + if ($v['ports_client'] == " all") + $stream5_tcp_engine .= " all"; + elseif ($v['ports_client'] == "default") + $stream5_tcp_engine .= " {$stream5_ports_client}"; + else { + $tmp = trim(filter_expand_alias($v['ports_client'])); + if (!empty($tmp)) + $stream5_tcp_engine .= " " . trim(preg_replace('/\s+/', ' ', $tmp)); + else { + $stream5_tcp_engine .= " {$stream5_ports_client}"; + log_error("[snort] WARNING: unable to resolve Ports Client Alias [{$v['ports_client']}] for Stream5 TCP engine '{$v['name']}' ... using default value."); + } + } + } + if (!empty($v['ports_both'])) { + $stream5_tcp_engine .= ", \\\n\tports both"; + if ($v['ports_both'] == " all") + $stream5_tcp_engine .= " all"; + elseif ($v['ports_both'] == "default") + $stream5_tcp_engine .= " {$stream5_ports_both}"; + else { + $tmp = trim(filter_expand_alias($v['ports_both'])); + if (!empty($tmp)) + $stream5_tcp_engine .= " " . trim(preg_replace('/\s+/', ' ', $tmp)); + else { + $stream5_tcp_engine .= " {$stream5_ports_both}"; + log_error("[snort] WARNING: unable to resolve Ports Both Alias [{$v['ports_both']}] for Stream5 TCP engine '{$v['name']}' ... using default value."); + } + } + } + if (!empty($v['ports_server']) && $v['ports_server'] <> "none" && $v['ports_server'] <> "default") { + if ($v['ports_server'] == " all") { + $stream5_tcp_engine .= ", \\\n\tports server"; + $stream5_tcp_engine .= " all"; + } + else { + $tmp = trim(filter_expand_alias($v['ports_server'])); + if (!empty($tmp)) { + $stream5_tcp_engine .= ", \\\n\tports server"; + $stream5_tcp_engine .= " " . trim(preg_replace('/\s+/', ' ', $tmp)); + } + else + log_error("[snort] WARNING: unable to resolve Ports Server Alias [{$v['ports_server']}] for Stream5 TCP engine '{$v['name']}' ... defaulting to none."); + } + } + + // Make sure the "ports" parameter is set, or else default to a safe value + if (strpos($stream5_tcp_engine, "ports ") === false) + $stream5_tcp_engine .= ", \\\n\tports both all"; + + // Add a pair of newlines to terminate this engine + $stream5_tcp_engine .= "\n\n"; + } + // Trim off the final trailing newline + $stream5_tcp_engine = rtrim($stream5_tcp_engine); + } + + // Configure the Stream5 UDP engine if it and Stream5 reassembly are enabled + if ($snortcfg['stream5_track_udp'] == "off" || $snortcfg['stream5_reassembly'] == "off") + $stream5_udp_engine = ""; + else { + $stream5_udp_engine = "preprocessor stream5_udp: "; + if (!empty($snortcfg['stream5_udp_timeout'])) + $stream5_udp_engine .= "timeout {$snortcfg['stream5_udp_timeout']}"; + else + $stream5_udp_engine .= "timeout 30"; + } + + // Configure the Stream5 ICMP engine if it and Stream5 reassembly are enabled + if ($snortcfg['stream5_track_icmp'] == "on" && $snortcfg['stream5_reassembly'] == "on") { + $stream5_icmp_engine = "preprocessor stream5_icmp: "; + if (!empty($snortcfg['stream5_icmp_timeout'])) + $stream5_icmp_engine .= "timeout {$snortcfg['stream5_icmp_timeout']}"; + else + $stream5_icmp_engine .= "timeout 30"; + } + else + $stream5_icmp_engine = ""; + + // Check for and configure Host Attribute Table if enabled $host_attrib_config = ""; if ($snortcfg['host_attribute_table'] == "on" && !empty($snortcfg['host_attribute_data'])) { file_put_contents("{$snortcfgdir}/host_attributes", base64_decode($snortcfg['host_attribute_data'])); @@ -3211,22 +3509,148 @@ EOD; $host_attrib_config .= "config max_attribute_services_per_host: {$snortcfg['max_attribute_services_per_host']}"; } - /* Finally, build the Snort configuration file */ - $snort_conf_text = << "default", "bind_to" => "all", "server_profile" => "all", "enable_xff" => "off", + "log_uri" => "off", "log_hostname" => "off", "server_flow_depth" => 65535, "enable_cookie" => "on", + "client_flow_depth" => 1460, "extended_response_inspection" => "on", "no_alerts" => "off", + "unlimited_decompress" => "on", "inspect_gzip" => "on", "normalize_cookies" =>"on", "normalize_headers" => "on", + "normalize_utf" => "on", "normalize_javascript" => "on", "allow_proxy_use" => "off", "inspect_uri_only" => "off", + "max_javascript_whitespaces" => 200, "post_depth" => -1, "max_headers" => 0, "max_spaces" => 0, + "max_header_length" => 0, "ports" => "default" ); + $http_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['http_ports'])); + $http_inspect_servers = ""; + + // Iterate configured HTTP_INSPECT servers and write them to string if HTTP_INSPECT enabled + if ($snortcfg['http_inspect'] <> "off") { + if (!is_array($snortcfg['http_inspect_engine']['item'])) + $snortcfg['http_inspect_engine']['item'] = array(); + + // If no http_inspect_engine is configured, use the default + if (empty($snortcfg['http_inspect_engine']['item'])) + $snortcfg['http_inspect_engine']['item'][] = $http_inspect_default_engine; + + foreach ($snortcfg['http_inspect_engine']['item'] as $f => $v) { + $buffer = "preprocessor http_inspect_server: \\\n"; + if ($v['name'] == "default") + $buffer .= "\tserver default \\\n"; + elseif (is_alias($v['bind_to'])) { + $tmp = trim(filter_expand_alias($v['bind_to'])); + if (!empty($tmp)) { + $tmp = preg_replace('/\s+/', ' ', $tmp); + $buffer .= "\tserver { {$tmp} } \\\n"; + } + else { + log_error("[snort] WARNING: unable to resolve IP Address Alias [{$v['bind_to']}] for HTTP_INSPECT server '{$v['name']}' ... skipping this server engine."); + continue; + } + } + else { + log_error("[snort] WARNING: unable to resolve IP Address Alias [{$v['bind_to']}] for HTTP_INSPECT server '{$v['name']}' ... skipping this server engine."); + continue; + } + $http_inspect_servers .= $buffer; + $http_inspect_servers .= "\tprofile {$v['server_profile']} \\\n"; + + if ($v['no_alerts'] == "on") + $http_inspect_servers .= "\tno_alerts \\\n"; + + if ($v['ports'] == "default" || empty($v['ports'])) + $http_inspect_servers .= "\tports { {$http_ports} } \\\n"; + elseif (is_alias($v['ports'])) { + $tmp = trim(filter_expand_alias($v['ports'])); + if (!empty($tmp)) { + $tmp = preg_replace('/\s+/', ' ', $tmp); + $tmp = snort_expand_port_range($tmp, ' '); + $http_inspect_servers .= "\tports { {$tmp} } \\\n"; + } + else { + log_error("[snort] WARNING: unable to resolve Ports Alias [{$v['ports']}] for HTTP_INSPECT server '{$v['name']}' ... using safe default instead."); + $http_inspect_servers .= "\tports { {$http_ports} } \\\n"; + } + } + else { + log_error("[snort] WARNING: unable to resolve Ports Alias [{$v['ports']}] for HTTP_INSPECT server '{$v['name']}' ... using safe default instead."); + $http_inspect_servers .= "\tports { {$http_ports} } \\\n"; + } + + $http_inspect_servers .= "\tserver_flow_depth {$v['server_flow_depth']} \\\n"; + $http_inspect_servers .= "\tclient_flow_depth {$v['client_flow_depth']} \\\n"; + $http_inspect_servers .= "\thttp_methods { GET POST PUT SEARCH MKCOL COPY MOVE LOCK UNLOCK NOTIFY POLL BCOPY BDELETE BMOVE LINK UNLINK OPTIONS HEAD DELETE TRACE TRACK CONNECT SOURCE SUBSCRIBE UNSUBSCRIBE PROPFIND PROPPATCH BPROPFIND BPROPPATCH RPC_CONNECT PROXY_SUCCESS BITS_POST CCM_POST SMS_POST RPC_IN_DATA RPC_OUT_DATA RPC_ECHO_DATA } \\\n"; + $http_inspect_servers .= "\tpost_depth {$v['post_depth']} \\\n"; + $http_inspect_servers .= "\tmax_headers {$v['max_headers']} \\\n"; + $http_inspect_servers .= "\tmax_header_length {$v['max_header_length']} \\\n"; + $http_inspect_servers .= "\tmax_spaces {$v['max_spaces']}"; + if ($v['enable_xff'] == "on") + $http_inspect_servers .= " \\\n\tenable_xff"; + if ($v['enable_cookie'] == "on") + $http_inspect_servers .= " \\\n\tenable_cookie"; + if ($v['normalize_cookies'] == "on") + $http_inspect_servers .= " \\\n\tnormalize_cookies"; + if ($v['normalize_headers'] == "on") + $http_inspect_servers .= " \\\n\tnormalize_headers"; + if ($v['normalize_utf'] == "on") + $http_inspect_servers .= " \\\n\tnormalize_utf"; + if ($v['allow_proxy_use'] == "on") + $http_inspect_servers .= " \\\n\tallow_proxy_use"; + if ($v['inspect_uri_only'] == "on") + $http_inspect_servers .= " \\\n\tinspect_uri_only"; + if ($v['extended_response_inspection'] == "on") { + $http_inspect_servers .= " \\\n\textended_response_inspection"; + if ($v['inspect_gzip'] == "on") { + $http_inspect_servers .= " \\\n\tinspect_gzip"; + if ($v['unlimited_decompress'] == "on") + $http_inspect_servers .= " \\\n\tunlimited_decompress"; + } + if ($v['normalize_javascript'] == "on") { + $http_inspect_servers .= " \\\n\tnormalize_javascript"; + $http_inspect_servers .= " \\\n\tmax_javascript_whitespaces {$v['max_javascript_whitespaces']}"; + } + } + if ($v['log_uri'] == "on") + $http_inspect_servers .= " \\\n\tlog_uri"; + if ($v['log_hostname'] == "on") + $http_inspect_servers .= " \\\n\tlog_hostname"; + // Add a pair of trailing newlines to terminate this server config + $http_inspect_servers .= "\n\n"; + } + /* Trim off the final trailing newline */ + $http_inspect_server = rtrim($http_inspect_server); + } + + // Finally, build the Snort configuration file + $snort_conf_text = <<Describe your package requirements here Currently there are no FAQ items provided. Snort - 2.9.4.6 - Services:2.9.4.6 pkg v. 2.6.1 + 2.9.5.5 + Services:2.9.5.5 pkg v. 3.0.0 /usr/local/pkg/snort/snort.inc Snort @@ -73,6 +73,16 @@ 077 http://www.pfsense.com/packages/config/snort/snort_check_cron_misc.inc + + /usr/local/pkg/snort/ + 077 + http://www.pfsense.com/packages/config/snort/snort_migrate_config.php + + + /usr/local/pkg/snort/ + 077 + http://www.pfsense.com/packages/config/snort/snort_post_install.php + /usr/local/pkg/snort/ 077 @@ -188,15 +198,55 @@ 077 http://www.pfsense.com/packages/config/snort/snort_edit_hat_data.php + + /usr/local/www/snort/ + 077 + http://www.pfsense.com/packages/config/snort/snort_frag3_engine.php + + + /usr/local/www/snort/ + 077 + http://www.pfsense.com/packages/config/snort/snort_stream5_engine.php + + + /usr/local/www/snort/ + 077 + http://www.pfsense.com/packages/config/snort/snort_httpinspect_engine.php + + + /usr/local/www/snort/ + 077 + http://www.pfsense.com/packages/config/snort/snort_ftp_client_engine.php + + + /usr/local/www/snort/ + 077 + http://www.pfsense.com/packages/config/snort/snort_ftp_server_engine.php + + + /usr/local/www/snort/ + 077 + http://www.pfsense.com/packages/config/snort/snort_import_aliases.php + + + /usr/local/www/snort/ + 077 + http://www.pfsense.com/packages/config/snort/snort_select_alias.php + + - snort_postinstall(); + snort_deinstall(); diff --git a/config/snort/snort_alerts.php b/config/snort/snort_alerts.php index 728de751..ede6cf9a 100755 --- a/config/snort/snort_alerts.php +++ b/config/snort/snort_alerts.php @@ -144,12 +144,13 @@ $if_real = snort_get_real_interface($a_instance[$instanceid]['interface']); if (is_array($config['installedpackages']['snortglobal']['alertsblocks'])) { $pconfig['arefresh'] = $config['installedpackages']['snortglobal']['alertsblocks']['arefresh']; $pconfig['alertnumber'] = $config['installedpackages']['snortglobal']['alertsblocks']['alertnumber']; - $anentries = $pconfig['alertnumber']; -} else { - $anentries = '250'; +} + +if (empty($pconfig['alertnumber'])) $pconfig['alertnumber'] = '250'; +if (empty($pconfig['arefresh'])) $pconfig['arefresh'] = 'off'; -} +$anentries = $pconfig['alertnumber']; if ($_POST['save']) { if (!is_array($config['installedpackages']['snortglobal']['alertsblocks'])) @@ -259,7 +260,7 @@ if ($_POST['download']) { /* Load up an array with the current Suppression List GID,SID values */ $supplist = snort_load_suppress_sigs($a_instance[$instanceid], true); -$pgtitle = "Services: Snort: Snort Alerts"; +$pgtitle = gettext("Snort: Snort Alerts"); include_once("head.inc"); ?> @@ -336,7 +337,7 @@ if ($pconfig['arefresh'] == 'on') > ', '', '', ''); ?>   - + ', '', '', ''); ?> diff --git a/config/snort/snort_barnyard.php b/config/snort/snort_barnyard.php index a5c1ffec..2457b573 100644 --- a/config/snort/snort_barnyard.php +++ b/config/snort/snort_barnyard.php @@ -104,7 +104,7 @@ if ($_POST) { } $if_friendly = snort_get_friendly_interface($pconfig['interface']); -$pgtitle = "Snort: Interface: {$if_friendly} Barnyard2 Edit"; +$pgtitle = gettext("Snort: Interface {$if_friendly} - Barnyard2 Settings"); include_once("head.inc"); ?> @@ -188,7 +188,7 @@ function enable_change(enable_change) {

diff --git a/config/snort/snort_blocked.php b/config/snort/snort_blocked.php index 983e8905..8d106a90 100644 --- a/config/snort/snort_blocked.php +++ b/config/snort/snort_blocked.php @@ -121,7 +121,7 @@ if ($_POST['save']) } -$pgtitle = "Services: Snort Blocked Hosts"; +$pgtitle = gettext("Snort: Blocked Hosts"); include_once("head.inc"); ?> @@ -180,7 +180,7 @@ if ($pconfig['brefresh'] == 'on') name="brefresh" type="checkbox" value="on" > ', '', '', ''); ?>   ', '', '', ''); ?> diff --git a/config/snort/snort_check_for_rule_updates.php b/config/snort/snort_check_for_rule_updates.php index e7263330..2afae663 100755 --- a/config/snort/snort_check_for_rule_updates.php +++ b/config/snort/snort_check_for_rule_updates.php @@ -53,6 +53,14 @@ if (!defined("GPLV2_DNLD_URL")) define("GPLV2_DNLD_URL", "https://s3.amazonaws.com/snort-org/www/rules/community/"); if (!defined("RULES_UPD_LOGFILE")) define("RULES_UPD_LOGFILE", SNORTLOGDIR . "/snort_rules_update.log"); +if (!defined("VRT_FILE_PREFIX")) + define("VRT_FILE_PREFIX", "snort_"); +if (!defined("GPL_FILE_PREFIX")) + define("GPL_FILE_PREFIX", "GPLv2_"); +if (!defined("ET_OPEN_FILE_PREFIX")) + define("ET_OPEN_FILE_PREFIX", "emerging-"); +if (!defined("ET_PRO_FILE_PREFIX")) + define("ET_PRO_FILE_PREFIX", "etpro-"); $snortdir = SNORTDIR; $snortlibdir = SNORTLIBDIR; @@ -118,7 +126,6 @@ $snort_community_rules_filename = GPLV2_DNLD_FILENAME; $snort_community_rules_filename_md5 = GPLV2_DNLD_FILENAME . ".md5"; $snort_community_rules_url = GPLV2_DNLD_URL; -/* Custom function for rules file download via URL */ function snort_download_file_url($url, $file_out) { /************************************************/ @@ -127,18 +134,21 @@ function snort_download_file_url($url, $file_out) { /* saves the content to the file specified by */ /* $file. */ /* */ + /* This is needed so console output can be */ + /* suppressed to prevent XMLRPC sync errors. */ + /* */ /* It provides logging of returned CURL errors. */ /************************************************/ global $g, $config, $pkg_interface, $last_curl_error, $fout, $ch, $file_size, $downloaded, $first_progress_update; - // Initialize required variables for pfSense "read_body()" function + // Initialize required variables for the pfSense "read_body()" function $file_size = 1; $downloaded = 1; $first_progress_update = TRUE; - /* Array of message strings for HTTP Response Codes */ + // Array of message strings for HTTP Response Codes $http_resp_msg = array( 200 => "OK", 202 => "Accepted", 204 => "No Content", 205 => "Reset Content", 206 => "Partial Content", 301 => "Moved Permanently", 302 => "Found", 305 => "Use Proxy", 307 => "Temporary Redirect", 400 => "Bad Request", @@ -157,7 +167,7 @@ function snort_download_file_url($url, $file_out) { return false; curl_setopt($ch, CURLOPT_FILE, $fout); - /* NOTE: required to suppress errors from XMLRPC due to progress bar output */ + // NOTE: required to suppress errors from XMLRPC due to progress bar output if ($g['snort_sync_in_progress']) curl_setopt($ch, CURLOPT_HEADER, false); else { @@ -167,7 +177,6 @@ function snort_download_file_url($url, $file_out) { curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true); curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Win64; x64; Trident/6.0)"); - /* Don't verify SSL peers since we don't have the certificates to do so. */ curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 30); curl_setopt($ch, CURLOPT_TIMEOUT, 0); @@ -185,7 +194,7 @@ function snort_download_file_url($url, $file_out) { $counter = 0; $rc = true; - /* Try up to 4 times to download the file before giving up */ + // Try up to 4 times to download the file before giving up while ($counter < 4) { $counter++; $rc = curl_exec($ch); @@ -202,7 +211,8 @@ function snort_download_file_url($url, $file_out) { $last_curl_error = $http_resp_msg[$http_code]; curl_close($ch); fclose($fout); - /* If we had to try more than once, log it */ + + // If we had to try more than once, log it if ($counter > 1) log_error(gettext("File '" . basename($file_out) . "' download attempts: {$counter} ...")); return ($http_code == 200) ? true : $http_code; @@ -214,7 +224,140 @@ function snort_download_file_url($url, $file_out) { } } -/* Start of code */ +function snort_check_rule_md5($file_url, $file_dst, $desc = "") { + + /**********************************************************/ + /* This function attempts to download the passed MD5 hash */ + /* file and compare its contents to the currently stored */ + /* hash file to see if a new rules file has been posted. */ + /* */ + /* On Entry: $file_url = URL for md5 hash file */ + /* $file_dst = Temp destination to store the */ + /* downloaded hash file */ + /* $desc = Short text string used to label */ + /* log messages with rules type */ + /* */ + /* Returns: TRUE if new rule file download required. */ + /* FALSE if rule download not required or an */ + /* error occurred. */ + /**********************************************************/ + + global $pkg_interface, $snort_rules_upd_log, $last_curl_error; + + $snortdir = SNORTDIR; + $filename_md5 = basename($file_dst); + + if ($pkg_interface <> "console") + update_status(gettext("Downloading {$desc} md5 file...")); + error_log(gettext("\tDownloading {$desc} md5 file {$filename_md5}...\n"), 3, $snort_rules_upd_log); + $rc = snort_download_file_url($file_url, $file_dst); + + // See if download from URL was successful + if ($rc === true) { + if ($pkg_interface <> "console") + update_status(gettext("Done downloading {$filename_md5}.")); + error_log("\tChecking {$desc} md5 file...\n", 3, $snort_rules_upd_log); + + // check md5 hash in new file against current file to see if new download is posted + if (file_exists("{$snortdir}/{$filename_md5}")) { + $md5_check_new = file_get_contents($file_dst); + $md5_check_old = file_get_contents("{$snortdir}/{$filename_md5}"); + if ($md5_check_new == $md5_check_old) { + if ($pkg_interface <> "console") + update_status(gettext("{$desc} are up to date...")); + log_error(gettext("[Snort] {$desc} are up to date...")); + error_log(gettext("\t{$desc} are up to date.\n"), 3, $snort_rules_upd_log); + return false; + } + else + return true; + } + return true; + } + else { + error_log(gettext("\t{$desc} md5 download failed.\n"), 3, $snort_rules_upd_log); + $snort_err_msg = gettext("Server returned error code {$rc}."); + if ($pkg_interface <> "console") { + update_status(gettext("{$desc} md5 error ... Server returned error code {$rc} ...")); + update_output_window(gettext("{$desc} will not be updated.\n\t{$snort_err_msg}")); + } + log_error(gettext("[Snort] {$desc} md5 download failed...")); + log_error(gettext("[Snort] Server returned error code {$rc}...")); + error_log(gettext("\t{$snort_err_msg}\n"), 3, $snort_rules_upd_log); + if ($pkg_interface == "console") + error_log(gettext("\tServer error message was: {$last_curl_error}\n"), 3, $snort_rules_upd_log); + error_log(gettext("\t{$desc} will not be updated.\n"), 3, $snort_rules_upd_log); + return false; + } +} + +function snort_fetch_new_rules($file_url, $file_dst, $file_md5, $desc = "") { + + /**********************************************************/ + /* This function downloads the passed rules file and */ + /* compares its computed md5 hash to the passed md5 hash */ + /* to verify the file's integrity. */ + /* */ + /* On Entry: $file_url = URL of rules file */ + /* $file_dst = Temp destination to store the */ + /* downloaded rules file */ + /* $file_md5 = Expected md5 hash for the new */ + /* downloaded rules file */ + /* $desc = Short text string for use in */ + /* log messages */ + /* */ + /* Returns: TRUE if download was successful. */ + /* FALSE if download was not successful. */ + /**********************************************************/ + + global $pkg_interface, $snort_rules_upd_log, $last_curl_error; + + $snortdir = SNORTDIR; + $filename = basename($file_dst); + + if ($pkg_interface <> "console") + update_status(gettext("There is a new set of {$desc} posted. Downloading...")); + log_error(gettext("[Snort] There is a new set of {$desc} posted. Downloading {$filename}...")); + error_log(gettext("\tThere is a new set of {$desc} posted.\n"), 3, $snort_rules_upd_log); + error_log(gettext("\tDownloading file '{$filename}'...\n"), 3, $snort_rules_upd_log); + $rc = snort_download_file_url($file_url, $file_dst); + + // See if the download from the URL was successful + if ($rc === true) { + if ($pkg_interface <> "console") + update_status(gettext("Done downloading {$desc} file.")); + log_error("[Snort] {$desc} file update downloaded successfully"); + error_log(gettext("\tDone downloading rules file.\n"),3, $snort_rules_upd_log); + + // Test integrity of the rules file. Turn off update if file has wrong md5 hash + if ($file_md5 != trim(md5_file($file_dst))){ + if ($pkg_interface <> "console") + update_output_window(gettext("{$desc} file MD5 checksum failed...")); + log_error(gettext("[Snort] {$desc} file download failed. Bad MD5 checksum...")); + log_error(gettext("[Snort] Downloaded File MD5: " . md5_file($file_dst))); + log_error(gettext("[Snort] Expected File MD5: {$file_md5}")); + error_log(gettext("\t{$desc} file download failed. Bad MD5 checksum.\n"), 3, $snort_rules_upd_log); + error_log(gettext("\tDownloaded {$desc} file MD5: " . md5_file($file_dst) . "\n"), 3, $snort_rules_upd_log); + error_log(gettext("\tExpected {$desc} file MD5: {$file_md5}\n"), 3, $snort_rules_upd_log); + error_log(gettext("\t{$desc} file download failed. {$desc} will not be updated.\n"), 3, $snort_rules_upd_log); + return false; + } + return true; + } + else { + if ($pkg_interface <> "console") + update_output_window(gettext("{$desc} file download failed...")); + log_error(gettext("[Snort] {$desc} file download failed... server returned error '{$rc}'...")); + error_log(gettext("\t{$desc} file download failed. Server returned error {$rc}.\n"), 3, $snort_rules_upd_log); + if ($pkg_interface == "console") + error_log(gettext("\tThe error text was: {$last_curl_error}\n"), 3, $snort_rules_upd_log); + error_log(gettext("\t{$desc} will not be updated.\n"), 3, $snort_rules_upd_log); + return false; + } + +} + +/* Start of main code */ conf_mount_rw(); /* remove old $tmpfname files */ @@ -239,171 +382,43 @@ if (file_exists($snort_rules_upd_log)) { error_log(gettext("Starting rules update... Time: " . date("Y-m-d H:i:s") . "\n"), 3, $snort_rules_upd_log); $last_curl_error = ""; -/* download md5 sig from snort.org */ -if ($snortdownload == 'on') { - if ($pkg_interface <> "console") - update_status(gettext("Downloading Snort VRT md5 file {$snort_filename_md5}...")); - error_log(gettext("\tDownloading Snort VRT md5 file '{$snort_filename_md5}'...\n"), 3, $snort_rules_upd_log); - $rc = snort_download_file_url("{$snort_rule_url}{$snort_filename_md5}/{$oinkid}/", "{$tmpfname}/{$snort_filename_md5}"); - if ($rc === true) { - if ($pkg_interface <> "console") - update_status(gettext("Done downloading {$snort_filename_md5}.")); - error_log("\tChecking Snort VRT md5 file...\n", 3, $snort_rules_upd_log); - } - else { - error_log(gettext("\tSnort VRT md5 download failed.\n"), 3, $snort_rules_upd_log); - if ($rc == 403) { - $snort_err_msg = gettext("Too many attempts or Oinkcode not authorized for this Snort version.\n"); - $snort_err_msg .= gettext("\tFree Registered Users may download VRT Rules once every 15 minutes.\n"); - $snort_err_msg .= gettext("\tPaid Subscribers have no download limits.\n"); - } - else - $snort_err_msg = gettext("Server returned error code '{$rc}'."); - if ($pkg_interface <> "console") { - update_status(gettext("Snort VRT md5 error ... Server returned error code {$rc} ...")); - update_output_window(gettext("Snort VRT rules will not be updated.\n\t{$snort_err_msg}")); - } - log_error(gettext("[Snort] Snort VRT md5 download failed...")); - log_error(gettext("[Snort] Server returned error code '{$rc}'...")); - error_log(gettext("\t{$snort_err_msg}\n"), 3, $snort_rules_upd_log); - if ($pkg_interface == "console") - error_log(gettext("\tServer error message was '{$last_curl_error}'\n"), 3, $snort_rules_upd_log); - error_log(gettext("\tSnort VRT rules will not be updated.\n"), 3, $snort_rules_upd_log); - $snortdownload = 'off'; - } -} - -/* Check if were up to date snort.org */ +/* Check for and download any new Snort VRT sigs */ if ($snortdownload == 'on') { - if (file_exists("{$snortdir}/{$snort_filename_md5}")) { - $md5_check_new = file_get_contents("{$tmpfname}/{$snort_filename_md5}"); - $md5_check_old = file_get_contents("{$snortdir}/{$snort_filename_md5}"); - if ($md5_check_new == $md5_check_old) { - if ($pkg_interface <> "console") - update_status(gettext("Snort VRT rules are up to date...")); - log_error(gettext("[Snort] Snort VRT rules are up to date...")); - error_log(gettext("\tSnort VRT rules are up to date.\n"), 3, $snort_rules_upd_log); - $snortdownload = 'off'; - } - } -} - -/* download snortrules file */ -if ($snortdownload == 'on') { - if ($pkg_interface <> "console") - update_status(gettext("There is a new set of Snort VRT rules posted. Downloading {$snort_filename}...")); - log_error(gettext("[Snort] There is a new set of Snort VRT rules posted. Downloading...")); - error_log(gettext("\tThere is a new set of Snort VRT rules posted.\n"), 3, $snort_rules_upd_log); - error_log(gettext("\tDownloading file '{$snort_filename}'...\n"), 3, $snort_rules_upd_log); - $rc = snort_download_file_url("{$snort_rule_url}{$snort_filename}/{$oinkid}/", "{$tmpfname}/{$snort_filename}"); - if ($rc === true) { - if ($pkg_interface <> "console") - update_status(gettext("Done downloading Snort VRT rules file.")); - log_error("[Snort] Snort VRT rules file update downloaded successfully"); - error_log(gettext("\tDone downloading rules file.\n"),3, $snort_rules_upd_log); - if (trim(file_get_contents("{$tmpfname}/{$snort_filename_md5}")) != trim(md5_file("{$tmpfname}/{$snort_filename}"))){ - if ($pkg_interface <> "console") - update_output_window(gettext("Snort VRT rules file MD5 checksum failed...")); - log_error(gettext("[Snort] Snort VRT rules file download failed. Bad MD5 checksum...")); - log_error(gettext("[Snort] Failed File MD5: " . md5_file("{$tmpfname}/{$snort_filename}"))); - log_error(gettext("[Snort] Expected File MD5: " . file_get_contents("{$tmpfname}/{$snort_filename_md5}"))); - error_log(gettext("\tSnort VRT rules file download failed. Bad MD5 checksum.\n"), 3, $snort_rules_upd_log); - error_log(gettext("\tDownloaded Snort VRT file MD5: " . md5_file("{$tmpfname}/{$snort_filename}") . "\n"), 3, $snort_rules_upd_log); - error_log(gettext("\tExpected Snort VRT file MD5: " . file_get_contents("{$tmpfname}/{$snort_filename_md5}") . "\n"), 3, $snort_rules_upd_log); - error_log(gettext("\tSnort VRT rules file download failed. Snort VRT rules will not be updated.\n"), 3, $snort_rules_upd_log); + if (snort_check_rule_md5("{$snort_rule_url}{$snort_filename_md5}/{$oinkid}/", "{$tmpfname}/{$snort_filename_md5}", "Snort VRT rules")) { + /* download snortrules file */ + $file_md5 = trim(file_get_contents("{$tmpfname}/{$snort_filename_md5}")); + if (!snort_fetch_new_rules("{$snort_rule_url}{$snort_filename}/{$oinkid}/", "{$tmpfname}/{$snort_filename}", $file_md5, "Snort VRT rules")) $snortdownload = 'off'; - } } - else { - if ($pkg_interface <> "console") - update_output_window(gettext("Snort VRT rules file download failed...")); - log_error(gettext("[Snort] Snort VRT rules file download failed... server returned error '{$rc}'...")); - error_log(gettext("\tSnort VRT rules file download failed. Server returned error {$rc}.\n"), 3, $snort_rules_upd_log); - if ($pkg_interface == "console") - error_log(gettext("\tThe error text was '{$last_curl_error}'\n"), 3, $snort_rules_upd_log); - error_log(gettext("\tSnort VRT rules will not be updated.\n"), 3, $snort_rules_upd_log); + else $snortdownload = 'off'; - } } -/* download md5 sig from Snort GPLv2 Community Rules */ +/* Check for and download any new Snort GPLv2 Community Rules sigs */ if ($snortcommunityrules == 'on') { - if ($pkg_interface <> "console") - update_status(gettext("Downloading Snort GPLv2 Community Rules md5 file {$snort_community_rules_filename_md5}...")); - error_log(gettext("\tDownloading Snort GPLv2 Community Rules md5 file '{$snort_community_rules_filename_md5}'...\n"), 3, $snort_rules_upd_log); - $rc = snort_download_file_url("{$snort_community_rules_url}{$snort_community_rules_filename_md5}", "{$tmpfname}/{$snort_community_rules_filename_md5}"); - if ($rc === true) { - if ($pkg_interface <> "console") - update_status(gettext("Done downloading Snort GPLv2 Community Rules md5")); - error_log(gettext("\tChecking Snort GPLv2 Community Rules md5.\n"), 3, $snort_rules_upd_log); - if (file_exists("{$snortdir}/{$snort_community_rules_filename_md5}") && $snortcommunityrules == "on") { - /* Check if were up to date Snort GPLv2 Community Rules */ - $snort_comm_md5_check_new = file_get_contents("{$tmpfname}/{$snort_community_rules_filename_md5}"); - $snort_comm_md5_check_old = file_get_contents("{$snortdir}/{$snort_community_rules_filename_md5}"); - if ($snort_comm_md5_check_new == $snort_comm_md5_check_old) { - if ($pkg_interface <> "console") - update_status(gettext("Snort GPLv2 Community Rules are up to date...")); - log_error(gettext("[Snort] Snort GPLv2 Community Rules are up to date...")); - error_log(gettext("\tSnort GPLv2 Community Rules are up to date.\n"), 3, $snort_rules_upd_log); - $snortcommunityrules = 'off'; - } - } + if (snort_check_rule_md5("{$snort_community_rules_url}{$snort_community_rules_filename_md5}", "{$tmpfname}/{$snort_community_rules_filename_md5}", "Snort GPLv2 Community Rules")) { + /* download Snort GPLv2 Community Rules file */ + $file_md5 = trim(file_get_contents("{$tmpfname}/{$snort_community_rules_filename_md5}")); + if (!snort_fetch_new_rules("{$snort_community_rules_url}{$snort_community_rules_filename}", "{$tmpfname}/{$snort_community_rules_filename}", $file_md5, "Snort GPLv2 Community Rules")) + $snortcommunityrules = 'off'; } - else { - if ($pkg_interface <> "console") - update_output_window(gettext("Snort GPLv2 Community Rules md5 file download failed. Community Rules will not be updated.")); - log_error(gettext("[Snort] Snort GPLv2 Community Rules md5 file download failed. Server returned error code '{$rc}'.")); - error_log(gettext("\tSnort GPLv2 Community Rules md5 file download failed. Server returned error code '{$rc}'.\n"), 3, $snort_rules_upd_log); - if ($pkg_interface == "console") - error_log(gettext("\tThe error text is '{$last_curl_error}'\n"), 3, $snort_rules_upd_log); - error_log(gettext("\tSnort GPLv2 Community Rules will not be updated.\n"), 3, $snort_rules_upd_log); + else $snortcommunityrules = 'off'; - } } -/* download Snort GPLv2 Community rules file */ -if ($snortcommunityrules == "on") { - if ($pkg_interface <> "console") - update_status(gettext("There is a new set of Snort GPLv2 Community Rules posted. Downloading {$snort_community_rules_filename} ...")); - log_error(gettext("[Snort] There is a new set of Snort GPLv2 Community Rules posted. Downloading...")); - error_log(gettext("\tThere is a new set of Snort GPLv2 Community Rules posted.\n"), 3, $snort_rules_upd_log); - error_log(gettext("\tDownloading file '{$snort_community_rules_filename}'...\n"), 3, $snort_rules_upd_log); - $rc = snort_download_file_url("{$snort_community_rules_url}{$snort_community_rules_filename}", "{$tmpfname}/{$snort_community_rules_filename}"); - - /* Test for a valid rules file download. Turn off Snort Community update if download failed. */ - if ($rc === true) { - if (trim(file_get_contents("{$tmpfname}/{$snort_community_rules_filename_md5}")) != trim(md5_file("{$tmpfname}/{$snort_community_rules_filename}"))){ - if ($pkg_interface <> "console") - update_output_window(gettext("Snort GPLv2 Community Rules file MD5 checksum failed...")); - log_error(gettext("[Snort] Snort GPLv2 Community Rules file download failed. Bad MD5 checksum...")); - log_error(gettext("[Snort] Failed File MD5: " . md5_file("{$tmpfname}/{$snort_community_rules_filename}"))); - log_error(gettext("[Snort] Expected File MD5: " . file_get_contents("{$tmpfname}/{$snort_community_rules_filename_md5}"))); - error_log(gettext("\tSnort GPLv2 Community Rules file download failed. Community Rules will not be updated.\n"), 3, $snort_rules_upd_log); - error_log(gettext("\tDownloaded Snort GPLv2 file MD5: " . md5_file("{$tmpfname}/{$snort_community_rules_filename}") . "\n"), 3, $snort_rules_upd_log); - error_log(gettext("\tExpected Snort GPLv2 file MD5: " . file_get_contents("{$tmpfname}/{$snort_community_rules_filename_md5}") . "\n"), 3, $snort_rules_upd_log); - $snortcommunityrules = 'off'; - } - else { - if ($pkg_interface <> "console") - update_status(gettext('Done downloading Snort GPLv2 Community Rules file.')); - log_error("[Snort] Snort GPLv2 Community Rules file update downloaded successfully"); - error_log(gettext("\tDone downloading Snort GPLv2 Community Rules file.\n"), 3, $snort_rules_upd_log); - } - } - else { - if ($pkg_interface <> "console") { - update_status(gettext("The server returned error code {$rc} ... skipping GPLv2 Community Rules...")); - update_output_window(gettext("Snort GPLv2 Community Rules file download failed...")); - } - log_error(gettext("[Snort] Snort GPLv2 Community Rules file download failed. Server returned error '{$rc}'...")); - error_log(gettext("\tSnort GPLv2 Community Rules download failed. Server returned error '{$rc}'...\n"), 3, $snort_rules_upd_log); - if ($pkg_interface == "console") - error_log(gettext("\tThe error text is '{$last_curl_error}'\n"), 3, $snort_rules_upd_log); - $snortcommunityrules = 'off'; +/* Check for and download any new Emerging Threats Rules sigs */ +if ($emergingthreats == 'on') { + if (snort_check_rule_md5("{$emergingthreats_url}{$emergingthreats_filename_md5}", "{$tmpfname}/{$emergingthreats_filename_md5}", "{$et_name} rules")) { + /* download Emerging Threats rules file */ + $file_md5 = trim(file_get_contents("{$tmpfname}/{$emergingthreats_filename_md5}")); + if (!snort_fetch_new_rules("{$emergingthreats_url}{$emergingthreats_filename}", "{$tmpfname}/{$emergingthreats_filename}", $file_md5, "{$et_name} rules")) + $emergingthreats = 'off'; } + else + $emergingthreats = 'off'; } -/* Untar Snort GPLv2 Community rules to tmp */ +/* Untar Snort GPLv2 Community rules file to tmp */ if ($snortcommunityrules == 'on') { safe_mkdir("{$snortdir}/tmp/community"); if (file_exists("{$tmpfname}/{$snort_community_rules_filename}")) { @@ -417,12 +432,12 @@ if ($snortcommunityrules == 'on') { $files = glob("{$snortdir}/tmp/community/community-rules/*.rules"); foreach ($files as $file) { $newfile = basename($file); - @copy($file, "{$snortdir}/rules/GPLv2_{$newfile}"); + @copy($file, "{$snortdir}/rules/" . GPL_FILE_PREFIX . "{$newfile}"); } /* base etc files for Snort GPLv2 Community rules */ foreach (array("classification.config", "reference.config", "gen-msg.map", "unicode.map") as $file) { if (file_exists("{$snortdir}/tmp/community/community-rules/{$file}")) - @copy("{$snortdir}/tmp/community/community-rules/{$file}", "{$snortdir}/tmp/GPLv2_{$file}"); + @copy("{$snortdir}/tmp/community/community-rules/{$file}", "{$snortdir}/tmp/" . GPL_FILE_PREFIX . "{$file}"); } /* Copy snort community md5 sig to snort dir */ if (file_exists("{$tmpfname}/{$snort_community_rules_filename_md5}")) { @@ -439,84 +454,7 @@ if ($snortcommunityrules == 'on') { } } -/* download md5 sig from emergingthreats.net */ -if ($emergingthreats == 'on') { - if ($pkg_interface <> "console") - update_status(gettext("Downloading {$et_name} md5 file...")); - error_log(gettext("\tDownloading {$et_name} md5 file '{$emergingthreats_filename_md5}'...\n"), 3, $snort_rules_upd_log); - $rc = snort_download_file_url("{$emergingthreats_url}{$emergingthreats_filename_md5}", "{$tmpfname}/{$emergingthreats_filename_md5}"); - if ($rc === true) { - if ($pkg_interface <> "console") - update_status(gettext("Done downloading {$et_name} md5 file {$emergingthreats_filename_md5}")); - error_log(gettext("\tChecking {$et_name} md5.\n"), 3, $snort_rules_upd_log); - if (file_exists("{$snortdir}/{$emergingthreats_filename_md5}") && $emergingthreats == "on") { - /* Check if were up to date emergingthreats.net */ - $emerg_md5_check_new = file_get_contents("{$tmpfname}/{$emergingthreats_filename_md5}"); - $emerg_md5_check_old = file_get_contents("{$snortdir}/{$emergingthreats_filename_md5}"); - if ($emerg_md5_check_new == $emerg_md5_check_old) { - if ($pkg_interface <> "console") - update_status(gettext("{$et_name} rules are up to date...")); - log_error(gettext("[Snort] {$et_name} rules are up to date...")); - error_log(gettext("\t{$et_name} rules are up to date.\n"), 3, $snort_rules_upd_log); - $emergingthreats = 'off'; - } - } - } - else { - if ($pkg_interface <> "console") - update_output_window(gettext("{$et_name} md5 file download failed. {$et_name} rules will not be updated.")); - log_error(gettext("[Snort] {$et_name} md5 file download failed. Server returned error code '{$rc}'.")); - error_log(gettext("\t{$et_name} md5 file download failed. Server returned error code '{$rc}'.\n"), 3, $snort_rules_upd_log); - if ($pkg_interface == "console") - error_log(gettext("\tThe error text is '{$last_curl_error}'\n"), 3, $snort_rules_upd_log); - error_log(gettext("\t{$et_name} rules will not be updated.\n"), 3, $snort_rules_upd_log); - $emergingthreats = 'off'; - } -} - -/* download emergingthreats rules file */ -if ($emergingthreats == "on") { - if ($pkg_interface <> "console") - update_status(gettext("There is a new set of {$et_name} rules posted. Downloading {$emergingthreats_filename}...")); - log_error(gettext("[Snort] There is a new set of {$et_name} rules posted. Downloading...")); - error_log(gettext("\tThere is a new set of {$et_name} rules posted.\n"), 3, $snort_rules_upd_log); - error_log(gettext("\tDownloading file '{$emergingthreats_filename}'...\n"), 3, $snort_rules_upd_log); - $rc = snort_download_file_url("{$emergingthreats_url}{$emergingthreats_filename}", "{$tmpfname}/{$emergingthreats_filename}"); - - /* Test for a valid rules file download. Turn off ET update if download failed. */ - if ($rc === true) { - if (trim(file_get_contents("{$tmpfname}/{$emergingthreats_filename_md5}")) != trim(md5_file("{$tmpfname}/{$emergingthreats_filename}"))){ - if ($pkg_interface <> "console") - update_output_window(gettext("{$et_name} rules file MD5 checksum failed...")); - log_error(gettext("[Snort] {$et_name} rules file download failed. Bad MD5 checksum...")); - log_error(gettext("[Snort] Failed File MD5: " . md5_file("{$tmpfname}/{$emergingthreats_filename}"))); - log_error(gettext("[Snort] Expected File MD5: " . file_get_contents("{$tmpfname}/{$emergingthreats_filename_md5}"))); - error_log(gettext("\t{$et_name} rules file download failed. {$et_name} rules will not be updated.\n"), 3, $snort_rules_upd_log); - error_log(gettext("\tDownloaded ET file MD5: " . md5_file("{$tmpfname}/{$emergingthreats_filename}") . "\n"), 3, $snort_rules_upd_log); - error_log(gettext("\tExpected ET file MD5: " . file_get_contents("{$tmpfname}/{$emergingthreats_filename_md5}") . "\n"), 3, $snort_rules_upd_log); - $emergingthreats = 'off'; - } - else { - if ($pkg_interface <> "console") - update_status(gettext('Done downloading {$et_name} rules file.')); - log_error("[Snort] {$et_name} rules file update downloaded successfully"); - error_log(gettext("\tDone downloading {$et_name} rules file.\n"), 3, $snort_rules_upd_log); - } - } - else { - if ($pkg_interface <> "console") { - update_status(gettext("The server returned error code {$rc} ... skipping {$et_name} update...")); - update_output_window(gettext("{$et_name} rules file download failed...")); - } - log_error(gettext("[Snort] {$et_name} rules file download failed. Server returned error '{$rc}'...")); - error_log(gettext("\t{$et_name} rules file download failed. Server returned error '{$rc}'...\n"), 3, $snort_rules_upd_log); - if ($pkg_interface == "console") - error_log(gettext("\tThe error text is '{$last_curl_error}'\n"), 3, $snort_rules_upd_log); - $emergingthreats = 'off'; - } -} - -/* Untar emergingthreats rules to tmp */ +/* Untar Emerging Threats rules file to tmp */ if ($emergingthreats == 'on') { safe_mkdir("{$snortdir}/tmp/emerging"); if (file_exists("{$tmpfname}/{$emergingthreats_filename}")) { @@ -528,16 +466,18 @@ if ($emergingthreats == 'on') { exec("/usr/bin/tar xzf {$tmpfname}/{$emergingthreats_filename} -C {$snortdir}/tmp/emerging rules/"); /* Remove the old Emerging Threats rules files */ - array_map('unlink', glob("{$snortdir}/rules/emerging-*.rules")); - array_map('unlink', glob("{$snortdir}/rules/etpro-*.rules")); - array_map('unlink', glob("{$snortdir}/rules/emerging-*ips.txt")); - array_map('unlink', glob("{$snortdir}/rules/etpro-*ips.txt")); + $eto_prefix = ET_OPEN_FILE_PREFIX; + $etpro_prefix = ET_PRO_FILE_PREFIX; + array_map('unlink', glob("{$snortdir}/rules/{$eto_prefix}*.rules")); + array_map('unlink', glob("{$snortdir}/rules/{$etpro_prefix}*.rules")); + array_map('unlink', glob("{$snortdir}/rules/{$eto_prefix}*ips.txt")); + array_map('unlink', glob("{$snortdir}/rules/{$etpro_prefix}*ips.txt")); $files = glob("{$snortdir}/tmp/emerging/rules/*.rules"); foreach ($files as $file) { $newfile = basename($file); if ($etpro == "on") - @copy($file, "{$snortdir}/rules/etpro-{$newfile}"); + @copy($file, "{$snortdir}/rules/" . ET_PRO_FILE_PREFIX . "{$newfile}"); else @copy($file, "{$snortdir}/rules/{$newfile}"); } @@ -546,9 +486,9 @@ if ($emergingthreats == 'on') { foreach ($files as $file) { $newfile = basename($file); if ($etpro == "on") - @copy($file, "{$snortdir}/rules/etpro-{$newfile}"); + @copy($file, "{$snortdir}/rules/" . ET_PRO_FILE_PREFIX . "{$newfile}"); else - @copy($file, "{$snortdir}/rules/emerging-{$newfile}"); + @copy($file, "{$snortdir}/rules/" . ET_OPEN_FILE_PREFIX . "{$newfile}"); } /* base etc files for Emerging Threats rules */ foreach (array("classification.config", "reference.config", "gen-msg.map", "unicode.map") as $file) { @@ -571,7 +511,7 @@ if ($emergingthreats == 'on') { } } -/* Untar snort rules file individually to help people with low system specs */ +/* Untar Snort rules file to tmp */ if ($snortdownload == 'on') { if (file_exists("{$tmpfname}/{$snort_filename}")) { /* Currently, only FreeBSD-8-1 and FreeBSD-9-0 precompiled SO rules exist from Snort.org */ @@ -581,7 +521,8 @@ if ($snortdownload == 'on') { $freebsd_version_so = 'FreeBSD-9-0'; /* Remove the old Snort rules files */ - array_map('unlink', glob("{$snortdir}/rules/snort_*.rules")); + $vrt_prefix = VRT_FILE_PREFIX; + array_map('unlink', glob("{$snortdir}/rules/{$vrt_prefix}*.rules")); if ($pkg_interface <> "console") { update_status(gettext("Extracting Snort VRT rules...")); @@ -594,7 +535,7 @@ if ($snortdownload == 'on') { $files = glob("{$snortdir}/tmp/snortrules/rules/*.rules"); foreach ($files as $file) { $newfile = basename($file); - @copy($file, "{$snortdir}/rules/snort_{$newfile}"); + @copy($file, "{$snortdir}/rules/" . VRT_FILE_PREFIX . "{$newfile}"); } /* IP lists */ $files = glob("{$snortdir}/tmp/snortrules/rules/*.txt"); @@ -629,7 +570,7 @@ if ($snortdownload == 'on') { $files = glob("{$snortdir}/tmp/so_rules/*.rules"); foreach ($files as $file) { $newfile = basename($file, ".rules"); - @copy($file, "{$snortdir}/rules/snort_{$newfile}.so.rules"); + @copy($file, "{$snortdir}/rules/" . VRT_FILE_PREFIX . "{$newfile}.so.rules"); } exec("rm -r {$snortdir}/tmp/so_rules"); } diff --git a/config/snort/snort_define_servers.php b/config/snort/snort_define_servers.php index ca549820..e9fcfcab 100755 --- a/config/snort/snort_define_servers.php +++ b/config/snort/snort_define_servers.php @@ -68,7 +68,7 @@ else $ssh_port = "22"; $snort_ports = array( "dns_ports" => "53", "smtp_ports" => "25", "mail_ports" => "25,465,587,691", - "http_ports" => "36,80,81,82,83,84,85,86,87,88,89,90,311,383,591,593,631,901,1220,1414,1741,1830,2301,2381,2809,3037,3057,3128,3443,3702,4343,4848,5250,6080,6988,7000,7001,7144,7145,7510,7777,7779,8000,8008,8014,8028,8080,8085,8088,8090,8118,8123,8180,8181,8222,8243,8280,8300,8500,8800,8888,8899,9000,9060,9080,9090,9091,9443,9999,10000,11371,34443,34444,41080,50000,50002,55555", + "http_ports" => "36,80,81,82,83,84,85,86,87,88,89,90,311,383,591,593,631,901,1220,1414,1533,1741,1830,2301,2381,2809,3037,3057,3128,3443,3702,4343,4848,5250,6080,6988,7000,7001,7144,7145,7510,7777,7779,8000,8008,8014,8028,8080,8081,8082,8085,8088,8090,8118,8123,8180,8181,8222,8243,8280,8300,8500,8800,8888,8899,9000,9060,9080,9090,9091,9443,9999,10000,11371,15489,29991,33300,34412,34443,34444,41080,44440,50000,50002,51423,55555,56712", "oracle_ports" => "1024:", "mssql_ports" => "1433", "telnet_ports" => "23","snmp_ports" => "161", "ftp_ports" => "21,2100,3535", "ssh_ports" => $ssh_port, "pop2_ports" => "109", "pop3_ports" => "110", @@ -86,6 +86,11 @@ $snort_ports = array( "GTP_PORTS" => "2123,2152,3386" ); +// Sort our SERVERS and PORTS arrays to make values +// easier to locate by the the user. +ksort($snort_servers); +ksort($snort_ports); + $pconfig = $a_nat[$id]; /* convert fake interfaces to real */ @@ -144,7 +149,7 @@ if ($_POST) { } $if_friendly = snort_get_friendly_interface($pconfig['interface']); -$pgtitle = "Snort: Interface {$if_friendly} Define Servers"; +$pgtitle = gettext("Snort: Interface {$if_friendly} Variables - Servers and Ports"); include_once("head.inc"); ?> @@ -195,7 +200,7 @@ if ($savemsg)
- + $server): @@ -210,8 +215,8 @@ if ($savemsg) } ?> - - + - + $server): @@ -236,8 +241,8 @@ if ($savemsg) } ?> - - + - - + diff --git a/config/snort/snort_download_updates.php b/config/snort/snort_download_updates.php index 09ab646a..1db5b6a0 100755 --- a/config/snort/snort_download_updates.php +++ b/config/snort/snort_download_updates.php @@ -96,7 +96,7 @@ $snort_rules_upd_logfile_chk = 'no'; if (file_exists("{$snort_rules_upd_log}")) $snort_rules_upd_logfile_chk = 'yes'; -$pgtitle = "Services: Snort: Updates"; +$pgtitle = gettext("Snort: Updates"); include_once("head.inc"); ?> diff --git a/config/snort/snort_edit_hat_data.php b/config/snort/snort_edit_hat_data.php index f0562046..f6d00b0b 100644 --- a/config/snort/snort_edit_hat_data.php +++ b/config/snort/snort_edit_hat_data.php @@ -80,7 +80,7 @@ if ($_POST['host_attribute_data']) { $if_friendly = snort_get_friendly_interface($a_nat[$id]['interface']); -$pgtitle = "Services: Snort: {$if_friendly} Host Attribute Table Data"; +$pgtitle = gettext("Snort: Interface {$if_friendly} - Host Attribute Table Data"); include_once("head.inc"); ?> diff --git a/config/snort/snort_frag3_engine.php b/config/snort/snort_frag3_engine.php new file mode 100644 index 00000000..f344771b --- /dev/null +++ b/config/snort/snort_frag3_engine.php @@ -0,0 +1,402 @@ +. + * All rights reserved. + * + * modified for the pfsense snort package + * Copyright (C) 2009-2010 Robert Zelaya. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * 1. Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +require_once("guiconfig.inc"); +require_once("/usr/local/pkg/snort/snort.inc"); + +global $g; + +$snortdir = SNORTDIR; + +// Grab the incoming QUERY STRING or POST variables +$id = $_GET['id']; +$eng_id = $_GET['eng_id']; +if (isset($_POST['id'])) + $id = $_POST['id']; +if (isset($_POST['eng_id'])) + $eng_id = $_POST['eng_id']; + +if (is_null($id)) { + header("Location: /snort/snort_interfaces.php"); + exit; +} + +if (!is_array($config['installedpackages']['snortglobal']['rule'])) + $config['installedpackages']['snortglobal']['rule'] = array(); +if (!is_array($config['installedpackages']['snortglobal']['rule'][$id]['frag3_engine']['item'])) + $config['installedpackages']['snortglobal']['rule'][$id]['frag3_engine']['item'] = array(); +$a_nat = &$config['installedpackages']['snortglobal']['rule'][$id]['frag3_engine']['item']; + +$pconfig = array(); +if (empty($a_nat[$eng_id])) { + $def = array( "name" => "engine_{$eng_id}", "bind_to" => "", "policy" => "bsd", + "timeout" => 60, "min_ttl" => 1, "detect_anomalies" => "on", + "overlap_limit" => 0, "min_frag_len" => 0 ); + // See if this is initial entry and set to "default" if true + if ($eng_id < 1) { + $def['name'] = "default"; + $def['bind_to'] = "all"; + } + $pconfig = $def; +} +else { + $pconfig = $a_nat[$eng_id]; + + // Check for any empty values and set sensible defaults + if (empty($pconfig['policy'])) + $pconfig['policy'] = "bsd"; + if (empty($pconfig['timeout'])) + $pconfig['timeout'] = 60; + if (empty($pconfig['min_ttl'])) + $pconfig['min_ttl'] = 1; + if (empty($pconfig['detect_anomalies'])) + $pconfig['detect_anomalies'] = "on"; + if (empty($pconfig['overlap_limit'])) + $pconfig['overlap_limit'] = 0; + if (empty($pconfig['min_frag_len'])) + $pconfig['min_frag_len'] = 0; +} + +if ($_POST['Cancel']) { + header("Location: /snort/snort_preprocessors.php?id={$id}#frag3_row"); + exit; +} + +// Check for returned "selected alias" if action is import +if ($_GET['act'] == "import") { + if ($_GET['varname'] == "bind_to" && !empty($_GET['varvalue'])) + $pconfig[$_GET['varname']] = $_GET['varvalue']; +} + +if ($_POST['Submit']) { + + /* Grab all the POST values and save in new temp array */ + $engine = array(); + if ($_POST['frag3_name']) { $engine['name'] = trim($_POST['frag3_name']); } else { $engine['name'] = "default"; } + if ($_POST['frag3_bind_to']) { + if (is_alias($_POST['frag3_bind_to'])) + $engine['bind_to'] = $_POST['frag3_bind_to']; + elseif (strtolower(trim($_POST['frag3_bind_to'])) == "all") + $engine['bind_to'] = "all"; + else + $input_errors[] = gettext("You must provide a valid Alias or the reserved keyword 'all' for the 'Bind-To IP Address' value."); + } + else { + $input_errors[] = gettext("The 'Bind-To IP Address' value cannot be blank. Provide a valid Alias or the reserved keyword 'all'."); + } + + /* Validate the text input fields before saving */ + if (!empty($_POST['frag3_timeout']) || $_POST['frag3_timeout'] == 0) { + $engine['timeout'] = $_POST['frag3_timeout']; + if (!is_numeric($_POST['frag3_timeout']) || $_POST['frag3_timeout'] < 1) + $input_errors[] = gettext("The value for Timeout must be numeric and greater than zero."); + } + else + $engine['timeout'] = 60; + + if (!empty($_POST['frag3_min_ttl']) || $_POST['frag3_min_ttl'] == 0) { + $engine['min_ttl'] = $_POST['frag3_min_ttl']; + if ($_POST['frag3_min_ttl'] < 1 || $_POST['frag3_min_ttl'] > 255) + $input_errors[] = gettext("The value for Minimum_Time-To-Live must be between 1 and 255."); + } + else + $engine['min_ttl'] = 1; + + if (!empty($_POST['frag3_overlap_limit']) || $_POST['frag3_overlap_limit'] == 0) { + $engine['overlap_limit'] = $_POST['frag3_overlap_limit']; + if (!is_numeric($_POST['frag3_overlap_limit']) || $_POST['frag3_overlap_limit'] < 0) + $input_errors[] = gettext("The value for Overlap_Limit must be a number greater than or equal to zero."); + } + else + $engine['overlap_limit'] = 0; + + if (!empty($_POST['frag3_min_frag_len']) || $_POST['frag3_min_frag_len'] == 0) { + $engine['min_frag_len'] = $_POST['frag3_min_frag_len']; + if (!is_numeric($_POST['frag3_min_frag_len']) || $_POST['frag3_min_frag_len'] < 0) + $input_errors[] = gettext("The value for Min_Fragment_Length must be a number greater than or equal to zero."); + } + else + $engine['min_frag_len'] = 0; + + if ($_POST['frag3_policy']) { $engine['policy'] = $_POST['frag3_policy']; } else { $engine['policy'] = "bsd"; } + $engine['detect_anomalies'] = $_POST['frag3_detect_anomalies'] ? 'on' : 'off'; + + /* Can only have one "all" Bind_To address */ + if ($engine['bind_to'] == "all" && $engine['name'] <> "default") { + $input_errors[] = gettext("Only one default Frag3 Engine can be bound to all addresses."); + $pconfig = $engine; + } + + /* if no errors, write new entry to conf */ + if (!$input_errors) { + if (isset($eng_id) && $a_nat[$eng_id]) { + $a_nat[$eng_id] = $engine; + } + else + $a_nat[] = $engine; + + /* Reorder the engine array to ensure the */ + /* 'bind_to=all' entry is at the bottom */ + /* if it contains more than one entry. */ + if (count($a_nat) > 1) { + $i = -1; + foreach ($a_nat as $f => $v) { + if ($v['bind_to'] == "all") { + $i = $f; + break; + } + } + /* Only relocate the entry if we */ + /* found it, and it's not already */ + /* at the end. */ + if ($i > -1 && ($i < (count($a_nat) - 1))) { + $tmp = $a_nat[$i]; + unset($a_nat[$i]); + $a_nat[] = $tmp; + } + } + + /* Now write the new engine array to conf */ + write_config(); + + header("Location: /snort/snort_preprocessors.php?id={$id}#frag3_row"); + exit; + } +} + +$if_friendly = snort_get_friendly_interface($config['installedpackages']['snortglobal']['rule'][$id]['interface']); +$pgtitle = gettext("Snort: Interface {$if_friendly} Frag3 Preprocessor Engine"); +include_once("head.inc"); + +?> + + + + + + + + +
+
+
@@ -221,7 +226,7 @@ if ($savemsg)
+
""
  +  
+ + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ >  + "default") + echo gettext("Name or description for this engine. (Max 25 characters)"); + else + echo "" . gettext("The name for the 'default' engine is read-only.") . "";?>
+ " . gettext("default") . ""; ?>.
+
+ "default") : ?> + + + + + + + + +
  + "/>
+ " . gettext("Supplied value must be a pre-configured Alias or the keyword 'all'.");?> +      + +   + " . gettext("IP List for the default engine is read-only and must be 'all'.") . "";?>
+
+ +
+   " . gettext("BSD") . ""; ?>.

+
+
+ +

+ " . gettext("60 ") . "" . gettext("seconds."); ?>
+
+ +

+ " . gettext("1") . ""; ?>.
+
onclick="frag3_enable_change();"> + " . gettext("Checked") . ""; ?>.

+ " . + gettext("In order to customize the Overlap Limit and Minimum Fragment Length parameters for this engine, Anomaly Detection must be enabled."); ?> +
+ + 0" . gettext(" (unlimited). Values greater than zero set the overlapped limit."); ?>

+ 0" . gettext(" (unlimited)."); ?>
+
+ + 0" . gettext(" (check is disabled). Values greater than zero enable the check."); ?>

+ 0" . gettext(" (check is disabled)."); ?>
+
  + "> +      + ">
+
+
+ + + + + + + + diff --git a/config/snort/snort_ftp_client_engine.php b/config/snort/snort_ftp_client_engine.php new file mode 100644 index 00000000..a9f5e82b --- /dev/null +++ b/config/snort/snort_ftp_client_engine.php @@ -0,0 +1,438 @@ +. + * All rights reserved. + * + * modified for the pfsense snort package + * Copyright (C) 2009-2010 Robert Zelaya. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * 1. Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +require_once("guiconfig.inc"); +require_once("/usr/local/pkg/snort/snort.inc"); + +global $g; + +$snortdir = SNORTDIR; + +$id = $_GET['id']; +$eng_id = $_GET['eng_id']; +if (isset($_POST['id'])) + $id = $_POST['id']; +if (isset($_POST['eng_id'])) + $eng_id = $_POST['eng_id']; + +if (is_null($id)) { + // Clear and close out any session variable we created + session_start(); + unset($_SESSION['ftp_client_import']); + session_write_close(); + header("Location: /snort/snort_interfaces.php"); + exit; +} + +if (!is_array($config['installedpackages']['snortglobal']['rule'])) + $config['installedpackages']['snortglobal']['rule'] = array(); +if (!is_array($config['installedpackages']['snortglobal']['rule'][$id]['ftp_client_engine']['item'])) + $config['installedpackages']['snortglobal']['rule'][$id]['ftp_client_engine']['item'] = array(); +$a_nat = &$config['installedpackages']['snortglobal']['rule'][$id]['ftp_client_engine']['item']; + +$pconfig = array(); +if (empty($a_nat[$eng_id])) { + $def = array( "name" => "engine_{$eng_id}", "bind_to" => "", "max_resp_len" => 256, + "telnet_cmds" => "no", "ignore_telnet_erase_cmds" => "yes", + "bounce" => "yes", "bounce_to_net" => "", "bounce_to_port" => "" ); + // See if this is initial entry and set to "default" if true + if ($eng_id < 1) { + $def['name'] = "default"; + $def['bind_to'] = "all"; + } + $pconfig = $def; +} +else + $pconfig = $a_nat[$eng_id]; + +if ($_POST['Cancel']) { + // Clear and close out any session variable we created + session_start(); + unset($_SESSION['ftp_client_import']); + session_write_close(); + header("Location: /snort/snort_preprocessors.php?id={$id}#ftp_telnet_row_ftp_proto_opts"); + exit; +} + +// Check for returned "selected alias" if action is import +if ($_GET['act'] == "import") { + session_start(); + if (($_GET['varname'] == "bind_to" || $_GET['varname'] == "bounce_to_net" || $_GET['varname'] == "bounce_to_port") + && !empty($_GET['varvalue'])) { + $pconfig[$_GET['varname']] = $_GET['varvalue']; + if(!isset($_SESSION['ftp_client_import'])) + $_SESSION['ftp_client_import'] = array(); + + $_SESSION['ftp_client_import'][$_GET['varname']] = $_GET['varvalue']; + if (isset($_SESSION['ftp_client_import']['bind_to'])) + $pconfig['bind_to'] = $_SESSION['ftp_client_import']['bind_to']; + if (isset($_SESSION['ftp_client_import']['bounce_to_net'])) + $pconfig['bounce_to_net'] = $_SESSION['ftp_client_import']['bounce_to_net']; + if (isset($_SESSION['ftp_client_import']['bounce_to_port'])) + $pconfig['bounce_to_port'] = $_SESSION['ftp_client_import']['bounce_to_port']; + } + // If "varvalue" is empty, user likely hit CANCEL in Select Dialog, + // so restore any saved values. + elseif (empty($_GET['varvalue'])) { + if (isset($_SESSION['ftp_client_import']['bind_to'])) + $pconfig['bind_to'] = $_SESSION['ftp_client_import']['bind_to']; + if (isset($_SESSION['ftp_client_import']['bounce_to_net'])) + $pconfig['bounce_to_net'] = $_SESSION['ftp_client_import']['bounce_to_net']; + if (isset($_SESSION['ftp_client_import']['bounce_to_port'])) + $pconfig['bounce_to_port'] = $_SESSION['ftp_client_import']['bounce_to_port']; + } + else { + unset($_SESSION['ftp_client_import']); + session_write_close(); + } +} + +if ($_POST['Submit']) { + + // Clear and close out any session variable we created + session_start(); + unset($_SESSION['ftp_client_import']); + session_write_close(); + + /* Grab all the POST values and save in new temp array */ + $engine = array(); + if ($_POST['ftp_name']) { $engine['name'] = trim($_POST['ftp_name']); } else { $engine['name'] = "default"; } + if ($_POST['ftp_bind_to']) { + if (is_alias($_POST['ftp_bind_to'])) + $engine['bind_to'] = $_POST['ftp_bind_to']; + elseif (strtolower(trim($_POST['ftp_bind_to'])) == "all") + $engine['bind_to'] = "all"; + else + $input_errors[] = gettext("You must provide a valid Alias or the reserved keyword 'all' for the 'Bind-To IP Address' value."); + } + else { + $input_errors[] = gettext("The 'Bind-To IP Address' value cannot be blank. Provide a valid Alias or the reserved keyword 'all'."); + } + + // Validate BOUNCE-TO Alias entries to be sure if one is set, then both are set; since + // if you define a BOUNCE-TO address, you must also define the BOUNCE-TO port. + if ($_POST['ftp_client_bounce_to_net'] && !is_alias($_POST['ftp_client_bounce_to_net'])) + $input_errors[] = gettext("Only aliases are allowed for the FTP Protocol BOUNCE-TO ADDRESS option."); + + if ($_POST['ftp_client_bounce_to_port'] && !is_alias($_POST['ftp_client_bounce_to_port'])) + $input_errors[] = gettext("Only aliases are allowed for the FTP Protocol BOUNCE-TO PORT option."); + + if ($_POST['ftp_client_bounce_to_net'] && empty($_POST['ftp_client_bounce_to_port'])) + $input_errors[] = gettext("FTP Protocol BOUNCE-TO PORT cannot be empty when BOUNCE-TO ADDRESS is set."); + + if ($_POST['ftp_client_bounce_to_port'] && empty($_POST['ftp_client_bounce_to_net'])) + $input_errors[] = gettext("FTP Protocol BOUNCE-TO ADDRESS cannot be empty when BOUNCE-TO PORT is set."); + + // Validate the BOUNCE-TO Alias entries for correct format of their defined values. BOUNCE-TO ADDRESS must be + // a valid single IP, and BOUNCE-TO PORT must be either a single port value or a port range value. Provide + // detailed error messages for the user that explain any problems. + if ($_POST['ftp_client_bounce_to_net'] && $_POST['ftp_client_bounce_to_port']) { + if (!snort_is_single_addr_alias($_POST['ftp_client_bounce_to_net'])){ + $net = trim(filter_expand_alias($_POST['ftp_client_bounce_to_net'])); + $net = preg_replace('/\s+/', ',', $net); + $msg = gettext("The FTP Protocol BOUNCE-TO ADDRESS parameter must be a single IP network or address, "); + $msg .= gettext("so the supplied Alias must be defined as a single address or network in CIDR form. "); + $msg .= gettext("The Alias [ {$_POST['ftp_client_bounce_to_net']} ] is currently defined as [ {$net} ]."); + $input_errors[] = $msg; + } + $port = trim(filter_expand_alias($_POST['ftp_client_bounce_to_port'])); + $port = preg_replace('/\s+/', ',', $port); + if (!is_port($port) && !is_portrange($port)) { + $msg = gettext("The FTP Protocol BOUNCE-TO PORT parameter must be a single port or port-range, "); + $msg .= gettext("so the supplied Alias must be defined as a single port or port-range value. "); + $msg .= gettext("The Alias [ {$_POST['ftp_client_bounce_to_port']} ] is currently defined as [ {$port} ]."); + $input_errors[] = $msg; + } + } + + $engine['bounce_to_net'] = $_POST['ftp_client_bounce_to_net']; + $engine['bounce_to_port'] = $_POST['ftp_client_bounce_to_port']; + $engine['telnet_cmds'] = $_POST['ftp_telnet_cmds'] ? 'yes' : 'no'; + $engine['ignore_telnet_erase_cmds'] = $_POST['ftp_ignore_telnet_erase_cmds'] ? 'yes' : 'no'; + $engine['bounce'] = $_POST['ftp_client_bounce_detect'] ? 'yes' : 'no'; + $engine['max_resp_len'] = $_POST['ftp_max_resp_len']; + + /* Can only have one "all" Bind_To address */ + if ($engine['bind_to'] == "all" && $engine['name'] <> "default") { + $input_errors[] = gettext("Only one default FTP Engine can be bound to all addresses."); + $pconfig = $engine; + } + + /* if no errors, write new entry to conf */ + if (!$input_errors) { + if (isset($eng_id) && $a_nat[$eng_id]) { + $a_nat[$eng_id] = $engine; + } + else + $a_nat[] = $engine; + + /* Reorder the engine array to ensure the */ + /* 'bind_to=all' entry is at the bottom */ + /* if it contains more than one entry. */ + if (count($a_nat) > 1) { + $i = -1; + foreach ($a_nat as $f => $v) { + if ($v['bind_to'] == "all") { + $i = $f; + break; + } + } + /* Only relocate the entry if we */ + /* found it, and it's not already */ + /* at the end. */ + if ($i > -1 && ($i < (count($a_nat) - 1))) { + $tmp = $a_nat[$i]; + unset($a_nat[$i]); + $a_nat[] = $tmp; + } + } + + /* Now write the new engine array to conf */ + write_config(); + + header("Location: /snort/snort_preprocessors.php?id={$id}#ftp_telnet_row_ftp_proto_opts"); + exit; + } +} + +$if_friendly = snort_get_friendly_interface($config['installedpackages']['snortglobal']['rule'][$id]['interface']); +$pgtitle = gettext("Snort: Interface {$if_friendly} - FTP Preprocessor Client Engine"); +include_once("head.inc"); + +?> + + + + + +
+ + +
+ + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ >  + "default") + echo gettext("Name or description for this engine. (Max 25 characters)"); + else + echo "" . gettext("The name for the 'default' engine is read-only.") . "";?>
+ " . gettext("default") . ""; ?>.
+
+ "default") : ?> + + + + + + + + +
  + "/>
.

+ " . gettext("Supplied value must be a pre-configured Alias or the keyword 'all'.");?>
+ +   + " . gettext("IP address for the default engine is read-only and must be 'all'.") . "";?>
+
+ +
> + " . gettext("Not Checked") . ""; ?>.
+
> + " . + gettext("Default is ") . "" . gettext("Checked") . ""; ?>.
+
+ + " . gettext("0") . "" . + gettext(" to disable. Default is ") . "" . gettext("256.") . "";?>
+
+
onclick="ftp_client_bounce_enable_change();"> + " . gettext("Checked") . ""; ?>.
+ + + + + + + + + + + +
  + " . gettext("blank") . ".";?> +   "/> +
  + " . gettext("blank") . ".";?> +   "/> +
+

+ " . + gettext("Supplied value must be a pre-configured Alias or left blank.");?>
+ " . gettext("Leave these settings at their defaults unless you are proxying FTP connections.");?> +
  + "> +      + ">
+
+
+
+ + + + + + + diff --git a/config/snort/snort_ftp_server_engine.php b/config/snort/snort_ftp_server_engine.php new file mode 100644 index 00000000..8f462ca9 --- /dev/null +++ b/config/snort/snort_ftp_server_engine.php @@ -0,0 +1,387 @@ +. + * All rights reserved. + * + * modified for the pfsense snort package + * Copyright (C) 2009-2010 Robert Zelaya. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * 1. Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +require_once("guiconfig.inc"); +require_once("/usr/local/pkg/snort/snort.inc"); + +global $g; + +$snortdir = SNORTDIR; + +// Grab any QUERY STRING or POST variables +$id = $_GET['id']; +$eng_id = $_GET['eng_id']; +if (isset($_POST['id'])) + $id = $_POST['id']; +if (isset($_POST['eng_id'])) + $eng_id = $_POST['eng_id']; + +if (is_null($id)) { + // Clear and close out any session variable we created + session_start(); + unset($_SESSION['ftp_server_import']); + session_write_close(); + header("Location: /snort/snort_interfaces.php"); + exit; +} + +if (!is_array($config['installedpackages']['snortglobal']['rule'])) + $config['installedpackages']['snortglobal']['rule'] = array(); +if (!is_array($config['installedpackages']['snortglobal']['rule'][$id]['ftp_server_engine']['item'])) + $config['installedpackages']['snortglobal']['rule'][$id]['ftp_server_engine']['item'] = array(); +$a_nat = &$config['installedpackages']['snortglobal']['rule'][$id]['ftp_server_engine']['item']; + +$pconfig = array(); +if (empty($a_nat[$eng_id])) { + $def = array( "name" => "engine_{$eng_id}", "bind_to" => "", "ports" => "default", + "telnet_cmds" => "no", "ignore_telnet_erase_cmds" => "yes", + "ignore_data_chan" => "no", "def_max_param_len" => 100 ); + // See if this is initial entry and set to "default" if true + if ($eng_id < 1) { + $def['name'] = "default"; + $def['bind_to'] = "all"; + } + $pconfig = $def; +} +else + $pconfig = $a_nat[$eng_id]; + +if ($_POST['Cancel']) { + // Clear and close out any session variable we created + session_start(); + unset($_SESSION['ftp_server_import']); + session_write_close(); + header("Location: /snort/snort_preprocessors.php?id={$id}#ftp_telnet_row_ftp_proto_opts"); + exit; +} + +// Check for returned "selected alias" if action is import +if ($_GET['act'] == "import") { + session_start(); + if (($_GET['varname'] == "bind_to" || $_GET['varname'] == "ports") + && !empty($_GET['varvalue'])) { + $pconfig[$_GET['varname']] = $_GET['varvalue']; + if(!isset($_SESSION['ftp_server_import'])) + $_SESSION['ftp_server_import'] = array(); + + $_SESSION['ftp_server_import'][$_GET['varname']] = $_GET['varvalue']; + if (isset($_SESSION['ftp_server_import']['bind_to'])) + $pconfig['bind_to'] = $_SESSION['ftp_server_import']['bind_to']; + if (isset($_SESSION['ftp_server_import']['ports'])) + $pconfig['ports'] = $_SESSION['ftp_server_import']['ports']; + } + // If "varvalue" is empty, user likely hit CANCEL in Select Dialog, + // so restore any saved values. + elseif (empty($_GET['varvalue'])) { + if (isset($_SESSION['ftp_server_import']['bind_to'])) + $pconfig['bind_to'] = $_SESSION['ftp_server_import']['bind_to']; + if (isset($_SESSION['ftp_server_import']['ports'])) + $pconfig['ports'] = $_SESSION['ftp_server_import']['ports']; + } + else { + unset($_SESSION['ftp_server_import']); + session_write_close(); + } +} + +if ($_POST['Submit']) { + + // Clear and close out any session variable we created + session_start(); + unset($_SESSION['ftp_server_import']); + session_write_close(); + + /* Grab all the POST values and save in new temp array */ + $engine = array(); + if ($_POST['ftp_name']) { $engine['name'] = trim($_POST['ftp_name']); } else { $engine['name'] = "default"; } + if ($_POST['ftp_bind_to']) { + if (is_alias($_POST['ftp_bind_to'])) + $engine['bind_to'] = $_POST['ftp_bind_to']; + elseif (strtolower(trim($_POST['ftp_bind_to'])) == "all") + $engine['bind_to'] = "all"; + else + $input_errors[] = gettext("You must provide a valid Alias or the reserved keyword 'all' for the 'Bind-To IP Address' value."); + } + else { + $input_errors[] = gettext("The 'Bind-To IP Address' value cannot be blank. Provide a valid Alias or the reserved keyword 'all'."); + } + + if ($_POST['ftp_ports']) { + if ($_POST['ftp_ports'] == "default") + $engine['ports'] = $_POST['ftp_ports']; + elseif (is_alias($_POST['ftp_ports'])) + $engine['ports'] = $_POST['ftp_ports']; + else + $input_errors[] = gettext("The value for Ports must be a valid Alias name or the keyword 'default'."); + } + else + $engine['ports'] = 21; + + $engine['telnet_cmds'] = $_POST['ftp_telnet_cmds'] ? 'yes' : 'no'; + $engine['ignore_telnet_erase_cmds'] = $_POST['ftp_ignore_telnet_erase_cmds'] ? 'yes' : 'no'; + $engine['ignore_data_chan'] = $_POST['ftp_ignore_data_chan'] ? 'yes' : 'no'; + $engine['def_max_param_len'] = $_POST['ftp_def_max_param_len']; + + + /* Can only have one "all" Bind_To address */ + if ($engine['bind_to'] == "all" && $engine['name'] <> "default") { + $input_errors[] = gettext("Only one default ftp Engine can be bound to all addresses."); + $pconfig = $engine; + } + + /* if no errors, write new entry to conf */ + if (!$input_errors) { + if (isset($eng_id) && $a_nat[$eng_id]) { + $a_nat[$eng_id] = $engine; + } + else + $a_nat[] = $engine; + + /* Reorder the engine array to ensure the */ + /* 'bind_to=all' entry is at the bottom */ + /* if it contains more than one entry. */ + if (count($a_nat) > 1) { + $i = -1; + foreach ($a_nat as $f => $v) { + if ($v['bind_to'] == "all") { + $i = $f; + break; + } + } + /* Only relocate the entry if we */ + /* found it, and it's not already */ + /* at the end. */ + if ($i > -1 && ($i < (count($a_nat) - 1))) { + $tmp = $a_nat[$i]; + unset($a_nat[$i]); + $a_nat[] = $tmp; + } + } + + /* Now write the new engine array to conf */ + write_config(); + + header("Location: /snort/snort_preprocessors.php?id={$id}#ftp_telnet_row_ftp_proto_opts"); + exit; + } +} + +$if_friendly = snort_get_friendly_interface($config['installedpackages']['snortglobal']['rule'][$id]['interface']); +$pgtitle = gettext("Snort: Interface {$if_friendly} - FTP Preprocessor Server Engine"); +include_once("head.inc"); + +?> + + + + + +
+ + +
+ + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ >  + "default") + echo gettext("Name or description for this engine. (Max 25 characters)"); + else + echo "" . gettext("The name for the 'default' engine is read-only.") . "";?>
+ " . gettext("default") . ""; ?>.
+
+ "default") : ?> + + + + + + + + +
  + "/>
.

+ " . gettext("Supplied value must be a pre-configured Alias or the keyword 'all'.");?> + +   + " . gettext("IP address for the default engine is read-only and must be 'all'.") . "";?>
+
+ +
+ + + + + + + + +
+ "/>
" . gettext("'default'") . "" . + gettext(" Using 'default' will include the FTP Ports defined on the ") . "" . gettext("VARIABLES") . "" . + gettext(" tab. Specific ports for this server can be specified here using a pre-defined Alias.");?>

+ " . gettext("Supplied value must be a pre-configured Alias or the keyword 'default'.");?> +
> + " . gettext("Not Checked") . ""; ?>.
+
> + " . gettext("Checked") . ""; ?>.
+
> + " . gettext("Not Checked") . ""; ?>.

+ " . gettext("When checked, NO INSPECTION other than state will be ") . + gettext("performed on the data channel. Enabling this option can improve performance for large FTP transfers from trusted servers.");?> +
+ + " . gettext("0") . "" . + gettext(" to disable. Default is ") . "" . gettext("100.") . "";?>
+
+
  + "> +      + ">
+
+
+
+ + + + + + + diff --git a/config/snort/snort_httpinspect_engine.php b/config/snort/snort_httpinspect_engine.php new file mode 100644 index 00000000..58488f2d --- /dev/null +++ b/config/snort/snort_httpinspect_engine.php @@ -0,0 +1,751 @@ +. + * All rights reserved. + * + * modified for the pfsense snort package + * Copyright (C) 2009-2010 Robert Zelaya. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * 1. Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +require_once("guiconfig.inc"); +require_once("/usr/local/pkg/snort/snort.inc"); + +global $g; + +$snortdir = SNORTDIR; + +$id = $_GET['id']; +$eng_id = $_GET['eng_id']; +if (isset($_POST['id'])) + $id = $_POST['id']; +if (isset($_POST['eng_id'])) + $eng_id = $_POST['eng_id']; + +if (is_null($id)) { + // Clear and close out any session variable we created + session_start(); + unset($_SESSION['http_inspect_import']); + session_write_close(); + header("Location: /snort/snort_interfaces.php"); + exit; +} + +if (!is_array($config['installedpackages']['snortglobal']['rule'])) + $config['installedpackages']['snortglobal']['rule'] = array(); +if (!is_array($config['installedpackages']['snortglobal']['rule'][$id]['http_inspect_engine']['item'])) + $config['installedpackages']['snortglobal']['rule'][$id]['http_inspect_engine']['item'] = array(); +$a_nat = &$config['installedpackages']['snortglobal']['rule'][$id]['http_inspect_engine']['item']; + +$pconfig = array(); +if (empty($a_nat[$eng_id])) { + $def = array( "name" => "engine_{$eng_id}", "bind_to" => "", "server_profile" => "all", "enable_xff" => "off", + "log_uri" => "off", "log_hostname" => "off", "server_flow_depth" => 65535, "enable_cookie" => "on", + "client_flow_depth" => 1460, "extended_response_inspection" => "on", "no_alerts" => "off", + "unlimited_decompress" => "on", "inspect_gzip" => "on", "normalize_cookies" =>"on", "normalize_headers" => "on", + "normalize_utf" => "on", "normalize_javascript" => "on", "allow_proxy_use" => "off", "inspect_uri_only" => "off", + "max_javascript_whitespaces" => 200, "post_depth" => -1, "max_headers" => 0, "max_spaces" => 0, + "max_header_length" => 0, "ports" => "default" ); + // See if this is initial entry and set to "default" if true + if ($eng_id < 1) { + $def['name'] = "default"; + $def['bind_to'] = "all"; + } + $pconfig = $def; +} +else { + $pconfig = $a_nat[$eng_id]; + + // Check for any empty values and set sensible defaults + if (empty($pconfig['ports'])) + $pconfig['ports'] = "default"; + if (empty($pconfig['server_profile'])) + $pconfig['server_profile'] = "all"; + if (empty($pconfig['enable_xff'])) + $pconfig['enable_xff'] = "off"; + if (empty($pconfig['log_uri'])) + $pconfig['log_uri'] = "off"; + if (empty($pconfig['log_hostname'])) + $pconfig['log_hostname'] = "off"; + if (empty($pconfig['server_flow_depth']) && $pconfig['server_flow_depth'] <> 0) + $pconfig['server_flow_depth'] = 65535; + if (empty($pconfig['enable_cookie'])) + $pconfig['enable_cookie'] = "on"; + if (empty($pconfig['client_flow_depth']) && $pconfig['client_flow_depth'] <> 0) + $pconfig['client_flow_depth'] = 1460; + if (empty($pconfig['extended_response_inspection'])) + $pconfig['extended_response_inspection'] = "on"; + if (empty($pconfig['no_alerts'])) + $pconfig['no_alerts'] = "off"; + if (empty($pconfig['unlimited_decompress'])) + $pconfig['unlimited_decompress'] = "on"; + if (empty($pconfig['inspect_gzip'])) + $pconfig['inspect_gzip'] = "on"; + if (empty($pconfig['normalize_cookies'])) + $pconfig['normalize_cookies'] = "on"; + if (empty($pconfig['normalize_headers'])) + $pconfig['normalize_headers'] = "on"; + if (empty($pconfig['normalize_utf'])) + $pconfig['normalize_utf'] = "on"; + if (empty($pconfig['normalize_javascript'])) + $pconfig['normalize_javascript'] = "on"; + if (empty($pconfig['allow_proxy_use'])) + $pconfig['allow_proxy_use'] = "off"; + if (empty($pconfig['inspect_uri_only'])) + $pconfig['inspect_uri_only'] = "off"; + if (empty($pconfig['max_javascript_whitespaces']) && $pconfig['max_javascript_whitespaces'] <> 0) + $pconfig['max_javascript_whitespaces'] = 200; + if (empty($pconfig['post_depth']) && $pconfig['post_depth'] <> 0) + $pconfig['post_depth'] = -1; + if (empty($pconfig['max_headers'])) + $pconfig['max_headers'] = 0; + if (empty($pconfig['max_spaces'])) + $pconfig['max_spaces'] = 0; + if (empty($pconfig['max_header_length'])) + $pconfig['max_header_length'] = 0; +} + +if ($_POST['Cancel']) { + // Clear and close out any session variable we created + session_start(); + unset($_SESSION['http_inspect_import']); + session_write_close(); + header("Location: /snort/snort_preprocessors.php?id={$id}#httpinspect_row"); + exit; +} + +// Check for returned "selected alias" if action is import +if ($_GET['act'] == "import") { + session_start(); + if (($_GET['varname'] == "bind_to" || $_GET['varname'] == "ports") + && !empty($_GET['varvalue'])) { + $pconfig[$_GET['varname']] = $_GET['varvalue']; + $_SESSION['http_inspect_import'] = array(); + + $_SESSION['http_inspect_import'][$_GET['varname']] = $_GET['varvalue']; + if (isset($_SESSION['http_inspect_import']['bind_to'])) + $pconfig['bind_to'] = $_SESSION['http_inspect_import']['bind_to']; + if (isset($_SESSION['http_inspect_import']['ports'])) + $pconfig['ports'] = $_SESSION['http_inspect_import']['ports']; + } + // If "varvalue" is empty, user likely hit CANCEL in Select Dialog, + // so restore any saved values. + elseif (empty($_GET['varvalue'])) { + if (isset($_SESSION['http_inspect_import']['bind_to'])) + $pconfig['bind_to'] = $_SESSION['http_inspect_import']['bind_to']; + if (isset($_SESSION['http_inspect_import']['ports'])) + $pconfig['ports'] = $_SESSION['http_inspect_import']['ports']; + } + else { + unset($_SESSION['http_inspect_import']); + session_write_close(); + } +} + +if ($_POST['Submit']) { + + // Clear and close out any session variable we created + session_start(); + unset($_SESSION['http_inspect_import']); + session_write_close(); + + // Grab all the POST values and save in new temp array + $engine = array(); + if ($_POST['httpinspect_name']) { $engine['name'] = trim($_POST['httpinspect_name']); } else { $engine['name'] = "default"; } + if ($_POST['httpinspect_bind_to']) { + if (is_alias($_POST['httpinspect_bind_to'])) + $engine['bind_to'] = $_POST['httpinspect_bind_to']; + elseif (strtolower(trim($_POST['httpinspect_bind_to'])) == "all") + $engine['bind_to'] = "all"; + else + $input_errors[] = gettext("You must provide a valid Alias or the reserved keyword 'all' for the 'Bind-To IP Address' value."); + } + else { + $input_errors[] = gettext("The 'Bind-To IP Address' value cannot be blank. Provide a valid Alias or the reserved keyword 'all'."); + } + if ($_POST['httpinspect_ports']) { $engine['ports'] = trim($_POST['httpinspect_ports']); } else { $engine['ports'] = "default"; } + + // Validate the text input fields before saving + if (!empty($_POST['httpinspect_server_flow_depth']) || $_POST['httpinspect_server_flow_depth'] == 0) { + $engine['server_flow_depth'] = $_POST['httpinspect_server_flow_depth']; + if (!is_numeric($_POST['httpinspect_server_flow_depth']) || $_POST['httpinspect_server_flow_depth'] < -1 || $_POST['httpinspect_server_flow_depth'] > 65535) + $input_errors[] = gettext("The value for Server_Flow_Depth must be numeric and between -1 and 65535."); + } + else + $engine['server_flow_depth'] = 65535; + + if (!empty($_POST['httpinspect_client_flow_depth']) || $_POST['httpinspect_client_flow_depth'] == 0) { + $engine['client_flow_depth'] = $_POST['httpinspect_client_flow_depth']; + if (!is_numeric($_POST['httpinspect_client_flow_depth']) || $_POST['httpinspect_client_flow_depth'] < -1 || $_POST['httpinspect_client_flow_depth'] > 1460) + $input_errors[] = gettext("The value for Client_Flow_Depth must be between -1 and 1460."); + } + else + $engine['client_flow_depth'] = 1460; + + if (!empty($_POST['httpinspect_max_javascript_whitespaces']) || $_POST['httpinspect_max_javascript_whitespaces'] == 0) { + $engine['max_javascript_whitespaces'] = $_POST['httpinspect_max_javascript_whitespaces']; + if (!is_numeric($_POST['httpinspect_max_javascript_whitespaces']) || $_POST['httpinspect_max_javascript_whitespaces'] < 0 || $_POST['httpinspect_max_javascript_whitespaces'] > 65535) + $input_errors[] = gettext("The value for Max_Javascript_Whitespaces must be between 0 and 65535."); + } + else + $engine['max_javascript_whitespaces'] = 200; + + if (!empty($_POST['httpinspect_post_depth']) || $_POST['httpinspect_post_depth'] == 0) { + $engine['post_depth'] = $_POST['httpinspect_post_depth']; + if (!is_numeric($_POST['httpinspect_post_depth']) || $_POST['httpinspect_post_depth'] < -1 || $_POST['httpinspect_post_depth'] > 65495) + $input_errors[] = gettext("The value for Post_Depth must be between -1 and 65495."); + } + else + $engine['post_depth'] = -1; + + if (!empty($_POST['httpinspect_max_headers']) || $_POST['httpinspect_max_headers'] == 0) { + $engine['max_headers'] = $_POST['httpinspect_max_headers']; + if (!is_numeric($_POST['httpinspect_max_headers']) || $_POST['httpinspect_max_headers'] < 0 || $_POST['httpinspect_max_headers'] > 65535) + $input_errors[] = gettext("The value for Max_Headers must be between 0 and 65535."); + } + else + $engine['max_headers'] = 0; + + if (!empty($_POST['httpinspect_max_spaces']) || $_POST['httpinspect_max_spaces'] == 0) { + $engine['max_spaces'] = $_POST['httpinspect_max_spaces']; + if (!is_numeric($_POST['httpinspect_max_spaces']) || $_POST['httpinspect_max_spaces'] < 0 || $_POST['httpinspect_max_spaces'] > 65535) + $input_errors[] = gettext("The value for Max_Spaces must be between 0 and 65535."); + } + else + $engine['max_spaces'] = 0; + + if (!empty($_POST['httpinspect_max_header_length']) || $_POST['httpinspect_max_header_length'] == 0) { + $engine['max_header_length'] = $_POST['httpinspect_max_header_length']; + if (!is_numeric($_POST['httpinspect_max_header_length']) || $_POST['httpinspect_max_header_length'] < 0 || $_POST['httpinspect_max_header_length'] > 65535) + $input_errors[] = gettext("The value for Max_Header_Length must be between 0 and 65535."); + } + else + $engine['max_header_length'] = 0; + + if ($_POST['httpinspect_server_profile']) { $engine['server_profile'] = $_POST['httpinspect_server_profile']; } else { $engine['server_profile'] = "all"; } + + $engine['no_alerts'] = $_POST['httpinspect_no_alerts'] ? 'on' : 'off'; + $engine['enable_xff'] = $_POST['httpinspect_enable_xff'] ? 'on' : 'off'; + $engine['log_uri'] = $_POST['httpinspect_log_uri'] ? 'on' : 'off'; + $engine['log_hostname'] = $_POST['httpinspect_log_hostname'] ? 'on' : 'off'; + $engine['extended_response_inspection'] = $_POST['httpinspect_extended_response_inspection'] ? 'on' : 'off'; + $engine['enable_cookie'] = $_POST['httpinspect_enable_cookie'] ? 'on' : 'off'; + $engine['unlimited_decompress'] = $_POST['httpinspect_unlimited_decompress'] ? 'on' : 'off'; + $engine['inspect_gzip'] = $_POST['httpinspect_inspect_gzip'] ? 'on' : 'off'; + $engine['normalize_cookies'] = $_POST['httpinspect_normalize_cookies'] ? 'on' : 'off'; + $engine['normalize_headers'] = $_POST['httpinspect_normalize_headers'] ? 'on' : 'off'; + $engine['normalize_utf'] = $_POST['httpinspect_normalize_utf'] ? 'on' : 'off'; + $engine['normalize_javascript'] = $_POST['httpinspect_normalize_javascript'] ? 'on' : 'off'; + $engine['allow_proxy_use'] = $_POST['httpinspect_allow_proxy_use'] ? 'on' : 'off'; + $engine['inspect_uri_only'] = $_POST['httpinspect_inspect_uri_only'] ? 'on' : 'off'; + + // Can only have one "all" Bind_To address + if ($engine['bind_to'] == "all" && $engine['name'] <> "default") { + $input_errors[] = gettext("Only one default http_inspect Engine can be bound to all addresses."); + $pconfig = $engine; + } + + // if no errors, write new entry to conf + if (!$input_errors) { + if (isset($eng_id) && $a_nat[$eng_id]) { + $a_nat[$eng_id] = $engine; + } + else + $a_nat[] = $engine; + + // Reorder the engine array to ensure the + // 'bind_to=all' entry is at the bottom + // if it contains more than one entry. + if (count($a_nat) > 1) { + $i = -1; + foreach ($a_nat as $f => $v) { + if ($v['bind_to'] == "all") { + $i = $f; + break; + } + } + /* Only relocate the entry if we */ + /* found it, and it's not already */ + /* at the end. */ + if ($i > -1 && ($i < (count($a_nat) - 1))) { + $tmp = $a_nat[$i]; + unset($a_nat[$i]); + $a_nat[] = $tmp; + } + } + + // Now write the new engine array to conf + write_config(); + + header("Location: /snort/snort_preprocessors.php?id={$id}#httpinspect_row"); + exit; + } +} + +$if_friendly = snort_get_friendly_interface($config['installedpackages']['snortglobal']['rule'][$id]['interface']); +$pgtitle = gettext("Snort: {$if_friendly} - HTTP_Inspect Preprocessor Engine"); +include_once("head.inc"); + +?> + + + + + +
+ + +
+ + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ >  + "default") + echo gettext("Name or description for this engine. (Max 25 characters)"); + else + echo "" . gettext("The name for the 'default' engine is read-only.") . "";?>
+ " . gettext("default") . ""; ?>.
+
+ "default") : ?> + + + + + + + + +
  + "/>

+ " . gettext("Supplied value must be a pre-configured Alias or the keyword 'all'.");?> + +   + " . gettext("IP List for the default engine is read-only and must be 'all'.") . "";?>
+
+ +
+ + + + + + + + +
+ "/>
" . gettext("'default'. ") . "";?> + " . gettext("VARIABLES") . "" . + gettext(" tab. Specific ports for this server can be specified here using a pre-defined Alias.");?>

+ " . gettext("Supplied value must be a pre-configured Alias or the keyword 'default'.");?> +
+   " . gettext("All") . "";?>
+
+
> + + .
> + + .

+ " . + gettext("This prevents proxy alerts for this server. The global option Proxy_Alert must also be " . + "enabled, otherwise this setting does nothing.");?> +
> + + .
> + + .
> + + .
> + + .
> + + .

+ " . + gettext("If this option is used without any uricontent rules, then no inspection will take place. " . + "The URI is only inspected with uricontent rules, and if there are none available, then there is nothing to inspect.");?> +
> + + .
> + + .
+ + + + + +
+ " . gettext("1") . "" . gettext(" and maximum is ") . + "" . gettext("65535") . "" . gettext(" (") . "" . gettext("0") . + "" . gettext(" disables this alert). "). gettext("The default value is ") . + "" . gettext("200") . "."?>
+
> + + .
> + + .
> + + .
> + + .
> + + .
+  " . gettext(" to ") . "" . gettext("65535") . " " . gettext("(") . "" . + gettext("-1") . "" . gettext(" disables HTTP inspect, ") . "" . gettext("0") . "" . + gettext(" enables all HTTP inspect).");?>

+ " . gettext("65535") . ".";?> +
+  " . + gettext(" to ") . "" . gettext("1460") . "" . gettext(" (") . "" . gettext("-1") . + "" . gettext(" disables HTTP inspect, ") . "" . gettext("0") . "" . + gettext(" enables all HTTP inspect).");?>

+ + " . gettext("1460") . ".";?> +
+  " . + gettext(" to ") . "" . gettext("65495") . "" . gettext(" (") . "" . gettext("-1") . + "" . gettext(" ignores all post data, ") . "" . gettext("0") . "" . + gettext(" inspects all post data).");?>

+ " . gettext("-1") . ".";?> +
+  " . + gettext(" to ") . "" . gettext("1024") . "" . gettext(" (") . "" . gettext("0") . + "" . gettext(" disables the alert).");?>

+ " . gettext("0") . ".";?> +
+  " . + gettext(" to ") . "" . gettext("65535") . "" . gettext(" (") . "" . gettext("0") . + "" . gettext(" disables the alert).");?>

+ " . gettext("0") . ".";?> +
+  " . + gettext(" to ") . "" . gettext("65535") . "" . gettext(" (") . "" . gettext("0") . + "" . gettext(" disables the alert).");?>

+ " . gettext("0") . ".";?> +
  + "> +      + ">
+
+
+
+ + + + + + + + + diff --git a/config/snort/snort_import_aliases.php b/config/snort/snort_import_aliases.php new file mode 100644 index 00000000..d9f751cd --- /dev/null +++ b/config/snort/snort_import_aliases.php @@ -0,0 +1,327 @@ +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); +require_once("functions.inc"); +require_once("/usr/local/pkg/snort/snort.inc"); + +// Retrieve any passed QUERY STRING or POST variables +$id = $_GET['id']; +$eng = $_GET['eng']; +if (isset($_POST['id'])) + $id = $_POST['id']; +if (isset($_POST['eng'])) + $eng = $_POST['eng']; + +// Make sure we have a valid rule ID and ENGINE name, or +// else bail out to top-level menu. +if (is_null($id) || is_null($eng)) { + header("Location: /snort/snort_interfaces.php"); + exit; +} + +// Used to track if any selectable Aliases are found +$selectablealias = false; + +// Initialize required array variables as necessary +if (!is_array($config['aliases']['alias'])) + $config['aliases']['alias'] = array(); +$a_aliases = $config['aliases']['alias']; +if (!is_array($config['installedpackages']['snortglobal']['rule'])) + $config['installedpackages']['snortglobal']['rule'] = array(); + +// The $eng variable points to the specific Snort config section +// engine we are importing values into. Initialize the config.xml +// array if necessary. +if (!is_array($config['installedpackages']['snortglobal']['rule'][$id][$eng]['item'])) + $config['installedpackages']['snortglobal']['rule'][$id][$eng]['item'] = array(); + +// Initialize a pointer to the Snort config section engine we are +// importing values into. +$a_nat = &$config['installedpackages']['snortglobal']['rule'][$id][$eng]['item']; + +// Build a lookup array of currently used engine 'bind_to' Aliases +// so we can screen matching Alias names from the list. +$used = array(); +foreach ($a_nat as $v) + $used[$v['bind_to']] = true; + +// Construct the correct return anchor string based on the Snort config section +// engine we were called with. This lets us return to the page and section +// we were called from. Also set the flag for those engines which accept +// multiple IP addresses for the "bind_to" parameter. +switch ($eng) { + case "frag3_engine": + $anchor = "#frag3_row"; + $multi_ip = true; + $title = "Frag3 Engine"; + break; + case "http_inspect_engine": + $anchor = "#httpinspect_row"; + $multi_ip = true; + $title = "HTTP_Inspect Engine"; + break; + case "stream5_tcp_engine": + $anchor = "#stream5_row"; + $multi_ip = true; + $title = "Stream5 TCP Engine"; + break; + case "ftp_server_engine": + $anchor = "#ftp_telnet_row"; + $multi_ip = false; + $title = "FTP Server Engine"; + break; + case "ftp_client_engine": + $anchor = "#ftp_telnet_row"; + $multi_ip = false; + $title = "FTP Client Engine"; + break; + default: + $anchor = ""; +} + +if ($_POST['cancel']) { + header("Location: /snort/snort_preprocessors.php?id={$id}{$anchor}"); + exit; +} + +if ($_POST['save']) { + + // Define default engine configurations for each of the supported engines. + + $def_frag3 = array( "name" => "", "bind_to" => "", "policy" => "bsd", + "timeout" => 60, "min_ttl" => 1, "detect_anomalies" => "on", + "overlap_limit" => 0, "min_frag_len" => 0 ); + + $def_ftp_server = array( "name" => "", "bind_to" => "", "ports" => "default", + "telnet_cmds" => "no", "ignore_telnet_erase_cmds" => "yes", + "ignore_data_chan" => "no", "def_max_param_len" => 100 ); + + $def_ftp_client = array( "name" => "", "bind_to" => "", "max_resp_len" => 256, + "telnet_cmds" => "no", "ignore_telnet_erase_cmds" => "yes", + "bounce" => "yes", "bounce_to_net" => "", "bounce_to_port" => "" ); + + $def_http_inspect = array( "name" => "", "bind_to" => "", "server_profile" => "all", "enable_xff" => "off", + "log_uri" => "off", "log_hostname" => "off", "server_flow_depth" => 65535, "enable_cookie" => "on", + "client_flow_depth" => 1460, "extended_response_inspection" => "on", "no_alerts" => "off", + "unlimited_decompress" => "on", "inspect_gzip" => "on", "normalize_cookies" =>"on", "normalize_headers" => "on", + "normalize_utf" => "on", "normalize_javascript" => "on", "allow_proxy_use" => "off", "inspect_uri_only" => "off", + "max_javascript_whitespaces" => 200, "post_depth" => -1, "max_headers" => 0, "max_spaces" => 0, + "max_header_length" => 0, "ports" => "default" ); + + $def_stream5 = array( "name" => "", "bind_to" => "", "policy" => "bsd", "timeout" => 30, + "max_queued_bytes" => 1048576, "detect_anomalies" => "off", "overlap_limit" => 0, + "max_queued_segs" => 2621, "require_3whs" => "off", "startup_3whs_timeout" => 0, + "no_reassemble_async" => "off", "dont_store_lg_pkts" => "off", "max_window" => 0, + "use_static_footprint_sizes" => "off", "check_session_hijacking" => "off", "ports_client" => "default", + "ports_both" => "default", "ports_server" => "none" ); + + // Figure out which engine type we are importing and set up default engine array + $engine = array(); + switch ($eng) { + case "frag3_engine": + $engine = $def_frag3; + break; + case "http_inspect_engine": + $engine = $def_http_inspect; + break; + case "stream5_tcp_engine": + $engine = $def_stream5; + break; + case "ftp_server_engine": + $engine = $def_ftp_server; + break; + case "ftp_client_engine": + $engine = $def_ftp_client; + break; + default: + $engine = ""; + $input_errors[] = gettext("Invalid ENGINE TYPE passed in query string. Aborting operation."); + } + + // See if anything was checked to import + if (is_array($_POST['toimport']) && count($_POST['toimport']) > 0) { + foreach ($_POST['toimport'] as $item) { + $engine['name'] = strtolower($item); + $engine['bind_to'] = $item; + $a_nat[] = $engine; + } + } + else + $input_errors[] = gettext("No entries were selected for import. Please select one or more Aliases for import and click SAVE."); + + // if no errors, write new entry to conf + if (!$input_errors) { + // Reorder the engine array to ensure the + // 'bind_to=all' entry is at the bottom if + // the array contains more than one entry. + if (count($a_nat) > 1) { + $i = -1; + foreach ($a_nat as $f => $v) { + if ($v['bind_to'] == "all") { + $i = $f; + break; + } + } + // Only relocate the entry if we + // found it, and it's not already + // at the end. + if ($i > -1 && ($i < (count($a_nat) - 1))) { + $tmp = $a_nat[$i]; + unset($a_nat[$i]); + $a_nat[] = $tmp; + } + } + + // Now write the new engine array to conf and return + write_config(); + + header("Location: /snort/snort_preprocessors.php?id={$id}{$anchor}"); + exit; + } +} + +$pgtitle = gettext("Snort: Import Host/Network Alias for {$title}"); +include("head.inc"); + +?> + + + +
+ + + +
+ + + + + + + + + + + + + + + + + + + + + + +

+
+ + + + + + + + + + + + + + + + + + "host" && $alias['type'] <> "network") + continue; + if (isset($used[$alias['name']])) + continue; + if (!$multi_ip && !snort_is_single_addr_alias($alias['name'])) { + $textss = ""; + $textse = ""; + $disable = true; + $tooltip = gettext("Aliases resolving to multiple addresses cannot be used with the '{$eng}'."); + } + elseif (trim(filter_expand_alias($alias['name'])) == "") { + $textss = ""; + $textse = ""; + $disable = true; + $tooltip = gettext("Aliases representing a FQDN host cannot be used in Snort preprocessor configurations."); + } + else { + $textss = ""; + $textse = ""; + $disable = ""; + $selectablealias = true; + $tooltip = gettext("Selected entries will be imported. Click to toggle selection of this entry."); + } + ?> + + + + + + + + + + +
+ +
+ 10) { + echo "..."; + } + ?> + +   +
+
+ "/> +
+ "/>    + "/> +
+
+
+
+
+ + + diff --git a/config/snort/snort_interfaces_edit.php b/config/snort/snort_interfaces_edit.php index bbd4338c..9d488207 100755 --- a/config/snort/snort_interfaces_edit.php +++ b/config/snort/snort_interfaces_edit.php @@ -102,6 +102,12 @@ elseif (isset($id) && !isset($a_rule[$id])) { if (isset($_GET['dup'])) unset($id); +// Set defaults for empty key parameters +if (empty($pconfig['blockoffendersip'])) + $pconfig['blockoffendersip'] = "both"; +if (empty($pconfig['performance'])) + $pconfig['performance'] = "ac-bnfa"; + if ($_POST["Submit"]) { if (!$_POST['interface']) $input_errors[] = "Interface is mandatory"; @@ -113,7 +119,7 @@ if ($_POST["Submit"]) { $natent['enable'] = $_POST['enable'] ? 'on' : 'off'; $natent['uuid'] = $pconfig['uuid']; - /* See if the HOME_NET, EXTERNAL_NET, WHITELIST or SUPPRESS LIST values were changed */ + /* See if the HOME_NET, EXTERNAL_NET, or SUPPRESS LIST values were changed */ $snort_reload = false; if ($_POST['homelistname'] && ($_POST['homelistname'] <> $natent['homelistname'])) $snort_reload = true; @@ -121,8 +127,6 @@ if ($_POST["Submit"]) { $snort_reload = true; if ($_POST['suppresslistname'] && ($_POST['suppresslistname'] <> $natent['suppresslistname'])) $snort_reload = true; - if ($_POST['whitelistname'] && ($_POST['whitelistname'] <> $natent['whitelistname'])) - $snort_reload = true; if ($_POST['descr']) $natent['descr'] = $_POST['descr']; else $natent['descr'] = strtoupper($natent['interface']); if ($_POST['performance']) $natent['performance'] = $_POST['performance']; else unset($natent['performance']); @@ -150,8 +154,100 @@ if ($_POST["Submit"]) { exec("mv -f {$snortdir}/snort_" . $a_rule[$id]['uuid'] . "_{$oif_real} {$snortdir}/snort_" . $a_rule[$id]['uuid'] . "_{$if_real}"); } $a_rule[$id] = $natent; - } else + } else { + // Adding new interface, so set required interface configuration defaults + $frag3_eng = array( "name" => "default", "bind_to" => "all", "policy" => "bsd", + "timeout" => 60, "min_ttl" => 1, "detect_anomalies" => "on", + "overlap_limit" => 0, "min_frag_len" => 0 ); + + $stream5_eng = array( "name" => "default", "bind_to" => "all", "policy" => "bsd", "timeout" => 30, + "max_queued_bytes" => 1048576, "detect_anomalies" => "off", "overlap_limit" => 0, + "max_queued_segs" => 2621, "require_3whs" => "off", "startup_3whs_timeout" => 0, + "no_reassemble_async" => "off", "max_window" => 0, "use_static_footprint_sizes" => "off", + "check_session_hijacking" => "off", "dont_store_lg_pkts" => "off", "ports_client" => "default", + "ports_both" => "default", "ports_server" => "none" ); + + $http_eng = array( "name" => "default", "bind_to" => "all", "server_profile" => "all", "enable_xff" => "off", + "log_uri" => "off", "log_hostname" => "off", "server_flow_depth" => 65535, "enable_cookie" => "on", + "client_flow_depth" => 1460, "extended_response_inspection" => "on", "no_alerts" => "off", + "unlimited_decompress" => "on", "inspect_gzip" => "on", "normalize_cookies" =>"on", + "normalize_headers" => "on", "normalize_utf" => "on", "normalize_javascript" => "on", + "allow_proxy_use" => "off", "inspect_uri_only" => "off", "max_javascript_whitespaces" => 200, + "post_depth" => -1, "max_headers" => 0, "max_spaces" => 0, "max_header_length" => 0, "ports" => "default" ); + + $ftp_client_eng = array( "name" => "default", "bind_to" => "all", "max_resp_len" => 256, + "telnet_cmds" => "no", "ignore_telnet_erase_cmds" => "yes", + "bounce" => "yes", "bounce_to_net" => "", "bounce_to_port" => "" ); + + $ftp_server_eng = array( "name" => "default", "bind_to" => "all", "ports" => "default", + "telnet_cmds" => "no", "ignore_telnet_erase_cmds" => "yes", + "ignore_data_chan" => "no", "def_max_param_len" => 100 ); + + $natent['max_attribute_hosts'] = '10000'; + $natent['max_attribute_services_per_host'] = '10'; + $natent['max_paf'] = '16000'; + + $natent['ftp_preprocessor'] = 'on'; + $natent['ftp_telnet_inspection_type'] = "stateful"; + $natent['ftp_telnet_alert_encrypted'] = "off"; + $natent['ftp_telnet_check_encrypted'] = "on"; + $natent['ftp_telnet_normalize'] = "on"; + $natent['ftp_telnet_detect_anomalies'] = "on"; + $natent['ftp_telnet_ayt_attack_threshold'] = "20"; + if (!is_array($natent['ftp_client_engine']['item'])) + $natent['ftp_client_engine']['item'] = array(); + $natent['ftp_client_engine']['item'][] = $ftp_client_eng; + if (!is_array($natent['ftp_server_engine']['item'])) + $natent['ftp_server_engine']['item'] = array(); + $natent['ftp_server_engine']['item'][] = $ftp_server_eng; + + $natent['smtp_preprocessor'] = 'on'; + $natent['dce_rpc_2'] = 'on'; + $natent['dns_preprocessor'] = 'on'; + $natent['ssl_preproc'] = 'on'; + $natent['pop_preproc'] = 'on'; + $natent['imap_preproc'] = 'on'; + $natent['sip_preproc'] = 'on'; + $natent['other_preprocs'] = 'on'; + + $natent['pscan_protocol'] = 'all'; + $natent['pscan_type'] = 'all'; + $natent['pscan_memcap'] = '10000000'; + $natent['pscan_sense_level'] = 'medium'; + + $natent['http_inspect'] = "on"; + $natent['http_inspect_proxy_alert'] = "off"; + $natent['http_inspect_memcap'] = "150994944"; + $natent['http_inspect_max_gzip_mem'] = "838860"; + if (!is_array($natent['http_inspect_engine']['item'])) + $natent['http_inspect_engine']['item'] = array(); + $natent['http_inspect_engine']['item'][] = $http_eng; + + $natent['frag3_max_frags'] = '8192'; + $natent['frag3_memcap'] = '4194304'; + $natent['frag3_detection'] = 'on'; + if (!is_array($natent['frag3_engine']['item'])) + $natent['frag3_engine']['item'] = array(); + $natent['frag3_engine']['item'][] = $frag3_eng; + + $natent['stream5_reassembly'] = 'on'; + $natent['stream5_flush_on_alert'] = 'off'; + $natent['stream5_prune_log_max'] = '1048576'; + $natent['stream5_track_tcp'] = 'on'; + $natent['stream5_max_tcp'] = '262144'; + $natent['stream5_track_udp'] = 'on'; + $natent['stream5_max_udp'] = '131072'; + $natent['stream5_udp_timeout'] = '30'; + $natent['stream5_track_icmp'] = 'off'; + $natent['stream5_max_icmp'] = '65536'; + $natent['stream5_icmp_timeout'] = '30'; + $natent['stream5_mem_cap']= '8388608'; + if (!is_array($natent['stream5_tcp_engine']['item'])) + $natent['stream5_tcp_engine']['item'] = array(); + $natent['stream5_tcp_engine']['item'][] = $stream5_eng; + $a_rule[] = $natent; + } /* If Snort is disabled on this interface, stop any running instance */ if ($natent['enable'] != 'on') @@ -168,9 +264,9 @@ if ($_POST["Submit"]) { /*******************************************************/ /* Signal Snort to reload configuration if we changed */ - /* HOME_NET, the Whitelist, EXTERNAL_NET or Suppress */ - /* list values. The function only signals a running */ - /* Snort instance to safely reload these parameters. */ + /* HOME_NET, EXTERNAL_NET or Suppress list values. */ + /* The function only signals a running Snort instance */ + /* to safely reload these parameters. */ /*******************************************************/ if ($snort_reload == true) snort_reload_config($natent, "SIGHUP"); @@ -187,7 +283,7 @@ if ($_POST["Submit"]) { } $if_friendly = snort_get_friendly_interface($pconfig['interface']); -$pgtitle = "Snort: Interface Edit: {$if_friendly}"; +$pgtitle = gettext("Snort: Interface {$if_friendly} - Edit Settings"); include_once("head.inc"); ?> @@ -265,28 +361,24 @@ include_once("head.inc");   
-
+  
-
+

- - - onClick="enable_change(false)"> + + > - + @@ -295,14 +387,14 @@ include_once("head.inc"); "Snort alert."); ?> - + > - +    - +
+  " . gettext("Choosing BOTH is suggested, and it is the default value."); ?>
@@ -332,8 +425,8 @@ include_once("head.inc"); foreach ($interfaces2 as $iface2 => $ifacename2): ?> - + +    " . gettext("Default") . "" . gettext(" is ") . "" . gettext("AC-BNFA") . ""; ?>.

@@ -471,17 +564,17 @@ include_once("head.inc"); id="btnWhitelist" title=""/>

 
 
-   + "use."); ?>

+  
+   - + - + 'on') echo 'disabled'; ?>>
+ class="formfld unknown" id="oinkmastercode" size="52" + value="">
- ' , ''); ?> + " . gettext("Snort Community") . "" . gettext(" rules");?> - + > +
> -

' ,''); ?>
 +

" . gettext("Note: ") . "" . + gettext("If you are a Snort VRT Paid Subscriber, the community ruleset is already built into your download of the ") . + gettext("Snort VRT rules, and there is no benefit in adding this rule set.");?>
- ' , ''); ?> + " . gettext("Emerging Threats") . "" . gettext(" rules");?> @@ -236,20 +268,19 @@ if ($input_errors) +
" . gettext("Note:") . "" . " " . gettext("The ETPro rules contain all of the ETOpen rules, so the ETOpen rules are not required and are disabled when the ETPro rules are selected."); ?>
+ -
 
-
'on') echo 'disabled'; ?>>
+ class="formfld unknown" id="etpro_code" size="52" + value="">
@@ -276,7 +307,7 @@ if ($input_errors) - >   " . gettext("Default") . " " . gettext("is ") . "" . gettext("00:03") . ""; ?>.

@@ -304,44 +335,42 @@ if ($input_errors) > -
-
+
+
- - +
MB -   ', ''); ?>" . gettext("MB:") . "";?>  + +  " . gettext("20%") . "" . gettext(" of available space.");?>
- +    -

- ', ''); ?> +   +

+ " . gettext("Hint:") . "" . gettext(" in most cases, 1 hour is a good choice.");?> - + - >   + >   @@ -351,10 +380,8 @@ if ($input_errors)   -
- +   +
@@ -367,15 +394,17 @@ if ($input_errors) diff --git a/config/snort/snort_interfaces_suppress.php b/config/snort/snort_interfaces_suppress.php index 7eed6dd3..e42b7f8c 100644 --- a/config/snort/snort_interfaces_suppress.php +++ b/config/snort/snort_interfaces_suppress.php @@ -84,7 +84,7 @@ if ($_GET['act'] == "del") { } } -$pgtitle = "Services: Snort: Suppression"; +$pgtitle = gettext("Snort: Suppression Lists"); include_once("head.inc"); ?> diff --git a/config/snort/snort_interfaces_suppress_edit.php b/config/snort/snort_interfaces_suppress_edit.php index 1eb16260..3d703987 100644 --- a/config/snort/snort_interfaces_suppress_edit.php +++ b/config/snort/snort_interfaces_suppress_edit.php @@ -126,7 +126,7 @@ if ($_POST['submit']) { } } -$pgtitle = "Services: Snort: Suppression: Edit"; +$pgtitle = gettext("Snort: Suppression List Edit - {$a_suppress[$id]['name']}"); include_once("head.inc"); ?> @@ -166,7 +166,7 @@ if ($savemsg)
+ class="formfld unknown" size="40" value="" />
   @@ -174,7 +174,7 @@ if ($savemsg)
+ class="formfld unknown" id="descr" size="40" value="" />
diff --git a/config/snort/snort_interfaces_whitelist.php b/config/snort/snort_interfaces_whitelist.php index ab22103e..9391eb85 100644 --- a/config/snort/snort_interfaces_whitelist.php +++ b/config/snort/snort_interfaces_whitelist.php @@ -61,7 +61,7 @@ if ($_GET['act'] == "del") { } } -$pgtitle = "Services: Snort: Whitelist"; +$pgtitle = gettext("Snort: Whitelists"); include_once("head.inc"); ?> diff --git a/config/snort/snort_interfaces_whitelist_edit.php b/config/snort/snort_interfaces_whitelist_edit.php index 671fa4e5..9fb97be1 100644 --- a/config/snort/snort_interfaces_whitelist_edit.php +++ b/config/snort/snort_interfaces_whitelist_edit.php @@ -38,6 +38,11 @@ require_once("guiconfig.inc"); require_once("/usr/local/pkg/snort/snort.inc"); +if ($_POST['cancel']) { + header("Location: /snort/snort_interfaces_whitelist.php"); + exit; +} + if (!is_array($config['installedpackages']['snortglobal']['whitelist'])) $config['installedpackages']['snortglobal']['whitelist'] = array(); if (!is_array($config['installedpackages']['snortglobal']['whitelist']['item'])) @@ -88,6 +93,12 @@ if (isset($id) && $a_whitelist[$id]) { $pconfig['vpnips'] = $a_whitelist[$id]['vpnips']; } +// Check for returned "selected alias" if action is import +if ($_GET['act'] == "import") { + if ($_GET['varname'] == "address" && !empty($_GET['varvalue'])) + $pconfig[$_GET['varname']] = $_GET['varvalue']; +} + if ($_POST['submit']) { conf_mount_rw(); @@ -118,7 +129,7 @@ if ($_POST['submit']) { if ($_POST['address']) if (!is_alias($_POST['address'])) - $input_errors[] = gettext("A valid alias need to be provided"); + $input_errors[] = gettext("A valid alias must be provided"); if (!$input_errors) { $w_list = array(); @@ -151,7 +162,7 @@ if ($_POST['submit']) { } } -$pgtitle = "Services: Snort: Whitelist: Edit $whitelist_uuid"; +$pgtitle = gettext("Snort: Whitelist Edit - {$a_whitelist[$id]['name']}"); include_once("head.inc"); ?> @@ -193,7 +204,7 @@ if ($savemsg) -
   @@ -201,7 +212,7 @@ if ($savemsg) -
@@ -261,14 +272,17 @@ if ($savemsg)
- + +     "/>   - + @@ -287,7 +301,7 @@ if ($savemsg) foreach($config['aliases']['alias'] as $alias_name) { if ($alias_name['type'] != "host" && $alias_name['type'] != "network") continue; - // Skip any Alias that resolves to an empty string + // Skip any Aliases that resolve to an empty string if (trim(filter_expand_alias($alias_name['name'])) == "") continue; if($addrisfirst == 1) $aliasesaddr .= ","; diff --git a/config/snort/snort_migrate_config.php b/config/snort/snort_migrate_config.php new file mode 100644 index 00000000..35dd3847 --- /dev/null +++ b/config/snort/snort_migrate_config.php @@ -0,0 +1,298 @@ + elements in the Snort configuration and */ +/* migrate the relevant preprocessor parameters to the new format. */ +/****************************************************************************/ + +$updated_cfg = false; +log_error("[Snort] Checking configuration settings version..."); + +// Check the configuration version to see if XMLRPC Sync should +// auto-disabled as part of the upgrade due to config format changes. +if (empty($config['installedpackages']['snortglobal']['snort_config_ver']) && + ($config['installedpackages']['snortsync']['config']['varsynconchanges'] == 'auto' || + $config['installedpackages']['snortsync']['config']['varsynconchanges'] == 'manual')) { + $config['installedpackages']['snortsync']['config']['varsynconchanges'] = "disabled"; + log_error("[Snort] Turning off Snort Sync on this host due to configuration format changes in this update. Upgrade all Snort Sync targets to this same Snort package version before re-enabling Snort Sync."); + $updated_cfg = true; +} + +foreach ($rule as &$r) { + // Initialize arrays for supported preprocessors if necessary + if (!is_array($r['frag3_engine']['item'])) + $r['frag3_engine']['item'] = array(); + if (!is_array($r['stream5_tcp_engine']['item'])) + $r['stream5_tcp_engine']['item'] = array(); + if (!is_array($r['http_inspect_engine']['item'])) + $r['http_inspect_engine']['item'] = array(); + if (!is_array($r['ftp_client_engine']['item'])) + $r['ftp_client_engine']['item'] = array(); + if (!is_array($r['ftp_server_engine']['item'])) + $r['ftp_server_engine']['item'] = array(); + + $pconfig = array(); + $pconfig = $r; + + // Create a default "frag3_engine" if none are configured + if (empty($pconfig['frag3_engine']['item'])) { + $updated_cfg = true; + log_error("[Snort] Migrating Frag3 Engine configuration for interface {$pconfig['descr']}..."); + $default = array( "name" => "default", "bind_to" => "all", "policy" => "bsd", + "timeout" => 60, "min_ttl" => 1, "detect_anomalies" => "on", + "overlap_limit" => 0, "min_frag_len" => 0 ); + + // Ensure sensible default values exist for global Frag3 parameters + if (empty($pconfig['frag3_max_frags'])) + $pconfig['frag3_max_frags'] = '8192'; + if (empty($pconfig['frag3_memcap'])) + $pconfig['frag3_memcap'] = '4194304'; + if (empty($pconfig['frag3_detection'])) + $pconfig['frag3_detection'] = 'on'; + + // Put any old values in new default engine and remove old value + if (isset($pconfig['frag3_policy'])) + $default['policy'] = $pconfig['frag3_policy']; + unset($pconfig['frag3_policy']); + if (isset($pconfig['frag3_timeout']) && is_numeric($pconfig['frag3_timeout'])) + $default['timeout'] = $pconfig['frag3_timeout']; + unset($pconfig['frag3_timeout']); + if (isset($pconfig['frag3_overlap_limit']) && is_numeric($pconfig['frag3_overlap_limit'])) + $default['overlap_limit'] = $pconfig['frag3_overlap_limit']; + unset($pconfig['frag3_overlap_limit']); + if (isset($pconfig['frag3_min_frag_len']) && is_numeric($pconfig['frag3_min_frag_len'])) + $default['min_frag_len'] = $pconfig['frag3_min_frag_len']; + unset($pconfig['frag3_min_frag_len']); + + $pconfig['frag3_engine']['item'] = array(); + $pconfig['frag3_engine']['item'][] = $default; + } + + // Create a default Stream5 engine array if none are configured + if (empty($pconfig['stream5_tcp_engine']['item'])) { + $updated_cfg = true; + log_error("[Snort] Migrating Stream5 Engine configuration for interface {$pconfig['descr']}..."); + $default = array( "name" => "default", "bind_to" => "all", "policy" => "bsd", "timeout" => 30, + "max_queued_bytes" => 1048576, "detect_anomalies" => "off", "overlap_limit" => 0, + "max_queued_segs" => 2621, "require_3whs" => "off", "startup_3whs_timeout" => 0, + "no_reassemble_async" => "off", "max_window" => 0, "use_static_footprint_sizes" => "off", + "check_session_hijacking" => "off", "dont_store_lg_pkts" => "off", "ports_client" => "default", + "ports_both" => "default", "ports_server" => "none" ); + + // Ensure sensible defaults exist for Stream5 global parameters + if (empty($pconfig['stream5_reassembly'])) + $pconfig['stream5_reassembly'] = 'on'; + if (empty($pconfig['stream5_flush_on_alert'])) + $pconfig['stream5_flush_on_alert'] = 'off'; + if (empty($pconfig['stream5_prune_log_max'])) + $pconfig['stream5_prune_log_max'] = '1048576'; + if (empty($pconfig['stream5_track_tcp'])) + $pconfig['stream5_track_tcp'] = 'on'; + if (empty($pconfig['stream5_max_tcp'])) + $pconfig['stream5_max_tcp'] = '262144'; + if (empty($pconfig['stream5_track_udp'])) + $pconfig['stream5_track_udp'] = 'on'; + if (empty($pconfig['stream5_max_udp'])) + $pconfig['stream5_max_udp'] = '131072'; + if (empty($pconfig['stream5_udp_timeout'])) + $pconfig['stream5_udp_timeout'] = '30'; + if (empty($pconfig['stream5_track_icmp'])) + $pconfig['stream5_track_icmp'] = 'off'; + if (empty($pconfig['stream5_max_icmp'])) + $pconfig['stream5_max_icmp'] = '65536'; + if (empty($pconfig['stream5_icmp_timeout'])) + $pconfig['stream5_icmp_timeout'] = '30'; + if (empty($pconfig['stream5_mem_cap'])) + $pconfig['stream5_mem_cap']= '8388608'; + + // Put any old values in new default engine and remove old value + if (isset($pconfig['stream5_policy'])) + $default['policy'] = $pconfig['stream5_policy']; + unset($pconfig['stream5_policy']); + if (isset($pconfig['stream5_tcp_timeout']) && is_numeric($pconfig['stream5_tcp_timeout'])) + $default['timeout'] = $pconfig['stream5_tcp_timeout']; + unset($pconfig['stream5_tcp_timeout']); + if (isset($pconfig['stream5_overlap_limit']) && is_numeric($pconfig['stream5_overlap_limit'])) + $default['overlap_limit'] = $pconfig['stream5_overlap_limit']; + unset($pconfig['stream5_overlap_limit']); + if (isset($pconfig['stream5_require_3whs'])) + $default['require_3whs'] = $pconfig['stream5_require_3whs']; + unset($pconfig['stream5_require_3whs']); + if (isset($pconfig['stream5_no_reassemble_async'])) + $default['no_reassemble_async'] = $pconfig['stream5_no_reassemble_async']; + unset($pconfig['stream5_no_reassemble_async']); + if (isset($pconfig['stream5_dont_store_lg_pkts'])) + $default['dont_store_lg_pkts'] = $pconfig['stream5_dont_store_lg_pkts']; + unset($pconfig['stream5_dont_store_lg_pkts']); + if (isset($pconfig['max_queued_bytes']) && is_numeric($pconfig['max_queued_bytes'])) + $default['max_queued_bytes'] = $pconfig['max_queued_bytes']; + unset($pconfig['max_queued_bytes']); + if (isset($pconfig['max_queued_segs']) && is_numeric($pconfig['max_queued_segs'])) + $default['max_queued_segs'] = $pconfig['max_queued_segs']; + unset($pconfig['max_queued_segs']); + + $pconfig['stream5_tcp_engine']['item'] = array(); + $pconfig['stream5_tcp_engine']['item'][] = $default; + } + + // Create a default HTTP_INSPECT engine if none are configured + if (empty($pconfig['http_inspect_engine']['item'])) { + $updated_cfg = true; + log_error("[Snort] Migrating HTTP_Inspect Engine configuration for interface {$pconfig['descr']}..."); + $default = array( "name" => "default", "bind_to" => "all", "server_profile" => "all", "enable_xff" => "off", + "log_uri" => "off", "log_hostname" => "off", "server_flow_depth" => 65535, "enable_cookie" => "on", + "client_flow_depth" => 1460, "extended_response_inspection" => "on", "no_alerts" => "off", + "unlimited_decompress" => "on", "inspect_gzip" => "on", "normalize_cookies" =>"on", + "normalize_headers" => "on", "normalize_utf" => "on", "normalize_javascript" => "on", + "allow_proxy_use" => "off", "inspect_uri_only" => "off", "max_javascript_whitespaces" => 200, + "post_depth" => -1, "max_headers" => 0, "max_spaces" => 0, "max_header_length" => 0, "ports" => "default" ); + + // Ensure sensible default values exist for global HTTP_INSPECT parameters + if (empty($pconfig['http_inspect'])) + $pconfig['http_inspect'] = "on"; + if (empty($pconfig['http_inspect_proxy_alert'])) + $pconfig['http_inspect_proxy_alert'] = "off"; + if (empty($pconfig['http_inspect_memcap'])) + $pconfig['http_inspect_memcap'] = "150994944"; + if (empty($pconfig['http_inspect_max_gzip_mem'])) + $pconfig['http_inspect_max_gzip_mem'] = "838860"; + + // Put any old values in new default engine and remove old value + if (isset($pconfig['server_flow_depth']) && is_numeric($pconfig['server_flow_depth'])) + $default['server_flow_depth'] = $pconfig['server_flow_depth']; + unset($pconfig['server_flow_depth']); + if (isset($pconfig['client_flow_depth']) & is_numeric($pconfig['client_flow_depth'])) + $default['client_flow_depth'] = $pconfig['client_flow_depth']; + unset($pconfig['client_flow_depth']); + if (isset($pconfig['http_server_profile'])) + $default['server_profile'] = $pconfig['http_server_profile']; + unset($pconfig['http_server_profile']); + if (isset($pconfig['http_inspect_enable_xff'])) + $default['enable_xff'] = $pconfig['http_inspect_enable_xff']; + unset($pconfig['http_inspect_enable_xff']); + if (isset($pconfig['http_inspect_log_uri'])) + $default['log_uri'] = $pconfig['http_inspect_log_uri']; + unset($pconfig['http_inspect_log_uri']); + if (isset($pconfig['http_inspect_log_hostname'])) + $default['log_hostname'] = $pconfig['http_inspect_log_hostname']; + unset($pconfig['http_inspect_log_hostname']); + if (isset($pconfig['noalert_http_inspect'])) + $default['no_alerts'] = $pconfig['noalert_http_inspect']; + unset($pconfig['noalert_http_inspect']); + + $pconfig['http_inspect_engine']['item'] = array(); + $pconfig['http_inspect_engine']['item'][] = $default; + } + + // Create a default FTP_CLIENT engine if none are configured + if (empty($pconfig['ftp_client_engine']['item'])) { + $updated_cfg = true; + log_error("[Snort] Migrating FTP Client Engine configuration for interface {$pconfig['descr']}..."); + $default = array( "name" => "default", "bind_to" => "all", "max_resp_len" => 256, + "telnet_cmds" => "no", "ignore_telnet_erase_cmds" => "yes", + "bounce" => "yes", "bounce_to_net" => "", "bounce_to_port" => "" ); + + // Set defaults for new FTP_Telnet preprocessor configurable parameters + if (empty($pconfig['ftp_telnet_inspection_type'])) + $pconfig['ftp_telnet_inspection_type'] = 'stateful'; + if (empty($pconfig['ftp_telnet_alert_encrypted'])) + $pconfig['ftp_telnet_alert_encrypted'] = 'off'; + if (empty($pconfig['ftp_telnet_check_encrypted'])) + $pconfig['ftp_telnet_check_encrypted'] = 'on'; + if (empty($pconfig['ftp_telnet_normalize'])) + $pconfig['ftp_telnet_normalize'] = 'on'; + if (empty($pconfig['ftp_telnet_detect_anomalies'])) + $pconfig['ftp_telnet_detect_anomalies'] = 'on'; + if (empty($pconfig['ftp_telnet_ayt_attack_threshold'])) + $pconfig['ftp_telnet_ayt_attack_threshold'] = '20'; + + // Add new FTP_Telnet Client default engine + $pconfig['ftp_client_engine']['item'] = array(); + $pconfig['ftp_client_engine']['item'][] = $default; + } + + // Create a default FTP_SERVER engine if none are configured + if (empty($pconfig['ftp_server_engine']['item'])) { + $updated_cfg = true; + log_error("[Snort] Migrating FTP Server Engine configuration for interface {$pconfig['descr']}..."); + $default = array( "name" => "default", "bind_to" => "all", "ports" => "default", + "telnet_cmds" => "no", "ignore_telnet_erase_cmds" => "yes", + "ignore_data_chan" => "no", "def_max_param_len" => 100 ); + + // Add new FTP_Telnet Server default engine + $pconfig['ftp_server_engine']['item'] = array(); + $pconfig['ftp_server_engine']['item'][] = $default; + } + + // Save the new configuration data into the $config array pointer + $r = $pconfig; +} +// Release reference to final array element +unset($r); + +// Write out the new configuration to disk if we changed anything +if ($updated_cfg) { + $config['installedpackages']['snortglobal']['snort_config_ver'] = "3.0.0"; + log_error("[Snort] Saving configuration settings in new format..."); + write_config(); + log_error("[Snort] Settings successfully migrated to new configuration format..."); +} +else + log_error("[Snort] Configuration version is current..."); + +?> diff --git a/config/snort/snort_post_install.php b/config/snort/snort_post_install.php new file mode 100644 index 00000000..9723a4ba --- /dev/null +++ b/config/snort/snort_post_install.php @@ -0,0 +1,1440 @@ + "{$snortlibdir}/dynamicrules", + "dynamicengine" => "{$snortlibdir}/dynamicengine", + "dynamicpreprocessor" => "{$snortcfgdir}/dynamicpreprocessor" + ); + foreach ($snort_dirs as $dir) { + if (!is_dir($dir)) + safe_mkdir($dir); + } + + /********************************************************************/ + /* For fail-safe on an initial startup following installation, and */ + /* before a rules update has occurred, copy the default config */ + /* files to the interface directory. If files already exist in */ + /* the interface directory, or they are newer, that means a rule */ + /* update has been done and we should leave the customized files */ + /* put in place by the rules update process. */ + /********************************************************************/ + $snort_files = array("gen-msg.map", "classification.config", "reference.config", + "sid-msg.map", "unicode.map", "threshold.conf", "preproc_rules/preprocessor.rules", + "preproc_rules/decoder.rules", "preproc_rules/sensitive-data.rules" + ); + foreach ($snort_files as $file) { + if (file_exists("{$snortdir}/{$file}")) { + $ftime = filemtime("{$snortdir}/{$file}"); + if (!file_exists("{$snortcfgdir}/{$file}") || ($ftime > filemtime("{$snortcfgdir}/{$file}"))) + @copy("{$snortdir}/{$file}", "{$snortcfgdir}/{$file}"); + } + } + + /* define alertsystemlog */ + $alertsystemlog_type = ""; + if ($snortcfg['alertsystemlog'] == "on") + $alertsystemlog_type = "output alert_syslog: log_alert"; + + /* define snortunifiedlog */ + $snortunifiedlog_type = ""; + if ($snortcfg['snortunifiedlog'] == "on") + $snortunifiedlog_type = "output unified2: filename snort_{$snort_uuid}_{$if_real}.u2, limit 128"; + + /* define spoink */ + $spoink_type = ""; + if ($snortcfg['blockoffenders7'] == "on") { + $pfkill = ""; + if ($snortcfg['blockoffenderskill'] == "on") + $pfkill = "kill"; + $spoink_wlist = snort_build_list($snortcfg, $snortcfg['whitelistname'], true); + /* write whitelist */ + @file_put_contents("{$snortcfgdir}/{$snortcfg['whitelistname']}", implode("\n", $spoink_wlist)); + $spoink_type = "output alert_pf: {$snortcfgdir}/{$snortcfg['whitelistname']},snort2c,{$snortcfg['blockoffendersip']},{$pfkill}"; + } + + /* define selected suppress file */ + $suppress_file_name = ""; + $suppress = snort_find_list($snortcfg['suppresslistname'], 'suppress'); + if (!empty($suppress)) { + $suppress_data = str_replace("\r", "", base64_decode($suppress['suppresspassthru'])); + @file_put_contents("{$snortcfgdir}/supp{$snortcfg['suppresslistname']}", $suppress_data); + $suppress_file_name = "include {$snortcfgdir}/supp{$snortcfg['suppresslistname']}"; + } + + /* set the snort performance model */ + $snort_performance = "ac-bnfa"; + if(!empty($snortcfg['performance'])) + $snort_performance = $snortcfg['performance']; + + /* if user has defined a custom ssh port, use it */ + if(is_array($config['system']['ssh']) && isset($config['system']['ssh']['port'])) + $ssh_port = $config['system']['ssh']['port']; + else + $ssh_port = "22"; + + /* Define an array of default values for the various preprocessor ports */ + $snort_ports = array( + "dns_ports" => "53", "smtp_ports" => "25", "mail_ports" => "25,465,587,691", + "http_ports" => "36,80,81,82,83,84,85,86,87,88,89,90,311,383,591,593,631,901,1220,1414,1533,1741,1830,2301,2381,2809,3037,3057,3128,3443,3702,4343,4848,5250,6080,6988,7000,7001,7144,7145,7510,7777,7779,8000,8008,8014,8028,8080,8081,8082,8085,8088,8090,8118,8123,8180,8181,8222,8243,8280,8300,8500,8800,8888,8899,9000,9060,9080,9090,9091,9443,9999,10000,11371,15489,29991,33300,34412,34443,34444,41080,44440,50000,50002,51423,55555,56712", + "oracle_ports" => "1024:", "mssql_ports" => "1433", "telnet_ports" => "23", + "snmp_ports" => "161", "ftp_ports" => "21,2100,3535", "ssh_ports" => $ssh_port, + "pop2_ports" => "109", "pop3_ports" => "110", "imap_ports" => "143", + "sip_ports" => "5060,5061,5600", "auth_ports" => "113", "finger_ports" => "79", + "irc_ports" => "6665,6666,6667,6668,6669,7000", "smb_ports" => "139,445", + "nntp_ports" => "119", "rlogin_ports" => "513", "rsh_ports" => "514", + "ssl_ports" => "443,465,563,636,989,992,993,994,995,7801,7802,7900,7901,7902,7903,7904,7905,7906,7907,7908,7909,7910,7911,7912,7913,7914,7915,7916,7917,7918,7919,7920", + "file_data_ports" => "\$HTTP_PORTS,110,143", "shellcode_ports" => "!80", + "sun_rpc_ports" => "111,32770,32771,32772,32773,32774,32775,32776,32777,32778,32779", + "DCERPC_NCACN_IP_TCP" => "139,445", "DCERPC_NCADG_IP_UDP" => "138,1024:", + "DCERPC_NCACN_IP_LONG" => "135,139,445,593,1024:", "DCERPC_NCACN_UDP_LONG" => "135,1024:", + "DCERPC_NCACN_UDP_SHORT" => "135,593,1024:", "DCERPC_NCACN_TCP" => "2103,2105,2107", + "DCERPC_BRIGHTSTORE" => "6503,6504", "DNP3_PORTS" => "20000", "MODBUS_PORTS" => "502", + "GTP_PORTS" => "2123,2152,3386" + ); + + /* Check for defined Aliases that may override default port settings as we build the portvars array */ + $portvardef = ""; + foreach ($snort_ports as $alias => $avalue) { + if (!empty($snortcfg["def_{$alias}"]) && is_alias($snortcfg["def_{$alias}"])) + $snort_ports[$alias] = trim(filter_expand_alias($snortcfg["def_{$alias}"])); + $snort_ports[$alias] = preg_replace('/\s+/', ',', trim($snort_ports[$alias])); + $portvardef .= "portvar " . strtoupper($alias) . " [" . $snort_ports[$alias] . "]\n"; + } + + /* Define the default ports for the Stream5 preprocessor (formatted for easier reading in the snort.conf file) */ + $stream5_ports_client = "21 22 23 25 42 53 70 79 109 110 111 113 119 135 136 137 \\\n"; + $stream5_ports_client .= "\t 139 143 161 445 513 514 587 593 691 1433 1521 1741 \\\n"; + $stream5_ports_client .= "\t 2100 3306 6070 6665 6666 6667 6668 6669 7000 8181 \\\n"; + $stream5_ports_client .= "\t 32770 32771 32772 32773 32774 32775 32776 32777 \\\n"; + $stream5_ports_client .= "\t 32778 32779"; + $stream5_ports_both = "80 81 82 83 84 85 86 87 88 89 90 110 311 383 443 465 563 \\\n"; + $stream5_ports_both .= "\t 591 593 631 636 901 989 992 993 994 995 1220 1414 1533 \\\n"; + $stream5_ports_both .= "\t 1830 2301 2381 2809 3037 3057 3128 3443 3702 4343 4848 \\\n"; + $stream5_ports_both .= "\t 5250 6080 6988 7907 7000 7001 7144 7145 7510 7802 7777 \\\n"; + $stream5_ports_both .= "\t 7779 7801 7900 7901 7902 7903 7904 7905 7906 7908 7909 \\\n"; + $stream5_ports_both .= "\t 7910 7911 7912 7913 7914 7915 7916 7917 7918 7919 7920 \\\n"; + $stream5_ports_both .= "\t 8000 8008 8014 8028 8080 8081 8082 8085 8088 8090 8118 \\\n"; + $stream5_ports_both .= "\t 8123 8180 8222 8243 8280 8300 8500 8800 8888 8899 9000 \\\n"; + $stream5_ports_both .= "\t 9060 9080 9090 9091 9443 9999 10000 11371 15489 29991 \\\n"; + $stream5_ports_both .= "\t 33300 34412 34443 34444 41080 44440 50000 50002 51423 \\\n"; + $stream5_ports_both .= "\t 55555 56712"; + + ///////////////////////////// + /* preprocessor code */ + /* def perform_stat */ + $perform_stat = << '0') { + $ftp_telnet_protocol .= " \\\n\tayt_attack_thresh "; + if ($snortcfg['ftp_telnet_ayt_attack_threshold'] != "") + $ftp_telnet_protocol .= $snortcfg['ftp_telnet_ayt_attack_threshold']; + else + $ftp_telnet_protocol .= "20"; + } + + // Setup the standard FTP commands used for all FTP Server engines + $ftp_cmds = << \ + cmd_validity STRU < char FRP > \ + cmd_validity ALLO < int [ char R int ] > \ + cmd_validity TYPE < { char AE [ char NTC ] | char I | char L [ number ] } > \ + cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \ + cmd_validity PORT < host_port > + +EOD; + + // Configure all the FTP_Telnet FTP protocol options + // Iterate and configure the FTP Client engines + $ftp_default_client_engine = array( "name" => "default", "bind_to" => "all", "max_resp_len" => 256, + "telnet_cmds" => "no", "ignore_telnet_erase_cmds" => "yes", + "bounce" => "yes", "bounce_to_net" => "", "bounce_to_port" => "" ); + + if (!is_array($snortcfg['ftp_client_engine']['item'])) + $snortcfg['ftp_client_engine']['item'] = array(); + + // If no FTP client engine is configured, use the default + // to keep from breaking Snort. + if (empty($snortcfg['ftp_client_engine']['item'])) + $snortcfg['ftp_client_engine']['item'][] = $ftp_default_client_engine; + $ftp_client_engine = ""; + + foreach ($snortcfg['ftp_client_engine']['item'] as $f => $v) { + $buffer = "preprocessor ftp_telnet_protocol: ftp client "; + if ($v['name'] == "default" && $v['bind_to'] == "all") + $buffer .= "default \\\n"; + elseif (is_alias($v['bind_to'])) { + $tmp = trim(filter_expand_alias($v['bind_to'])); + if (!empty($tmp)) { + $tmp = preg_replace('/\s+/', ' ', $tmp); + $buffer .= "{$tmp} \\\n"; + } + else { + log_error("[snort] ERROR: unable to resolve IP Address Alias '{$v['bind_to']}' for FTP client '{$v['name']}' ... skipping entry."); + continue; + } + } + else { + log_error("[snort] ERROR: unable to resolve IP Address Alias '{$v['bind_to']}' for FTP client '{$v['name']}' ... skipping entry."); + continue; + } + + if ($v['max_resp_len'] == "") + $buffer .= "\tmax_resp_len 256 \\\n"; + else + $buffer .= "\tmax_resp_len {$v['max_resp_len']} \\\n"; + + $buffer .= "\ttelnet_cmds {$v['telnet_cmds']} \\\n"; + $buffer .= "\tignore_telnet_erase_cmds {$v['ignore_telnet_erase_cmds']} \\\n"; + + if ($v['bounce'] == "yes") { + if (is_alias($v['bounce_to_net']) && is_alias($v['bounce_to_port'])) { + $net = trim(filter_expand_alias($v['bounce_to_net'])); + $port = trim(filter_expand_alias($v['bounce_to_port'])); + if (!empty($net) && !empty($port) && + snort_is_single_addr_alias($v['bounce_to_net']) && + (is_port($port) || is_portrange($port))) { + $port = preg_replace('/\s+/', ',', $port); + // Change port range delimiter to comma for ftp_telnet client preprocessor + if (is_portrange($port)) + $port = str_replace(":", ",", $port); + $buffer .= "\tbounce yes \\\n"; + $buffer .= "\tbounce_to { {$net},{$port} }\n"; + } + else { + // One or both of the BOUNCE_TO alias values is not right, + // so figure out which and log an appropriate error. + if (empty($net) || !snort_is_single_addr_alias($v['bounce_to_net'])) + log_error("[snort] ERROR: illegal value for bounce_to Address Alias [{$v['bounce_to_net']}] for FTP client engine [{$v['name']}] ... omitting 'bounce_to' option for this client engine."); + if (empty($port) || !(is_port($port) || is_portrange($port))) + log_error("[snort] ERROR: illegal value for bounce_to Port Alias [{$v['bounce_to_port']}] for FTP client engine [{$v['name']}] ... omitting 'bounce_to' option for this client engine."); + $buffer .= "\tbounce yes\n"; + } + } + else + $buffer .= "\tbounce yes\n"; + } + else + $buffer .= "\tbounce no\n"; + + // Add this FTP client engine to the master string + $ftp_client_engine .= "{$buffer}\n"; + } + // Trim final trailing newline + rtrim($ftp_client_engine); + + // Iterate and configure the FTP Server engines + $ftp_default_server_engine = array( "name" => "default", "bind_to" => "all", "ports" => "default", + "telnet_cmds" => "no", "ignore_telnet_erase_cmds" => "yes", + "ignore_data_chan" => "no", "def_max_param_len" => 100 ); + + if (!is_array($snortcfg['ftp_server_engine']['item'])) + $snortcfg['ftp_server_engine']['item'] = array(); + + // If no FTP server engine is configured, use the default + // to keep from breaking Snort. + if (empty($snortcfg['ftp_server_engine']['item'])) + $snortcfg['ftp_server_engine']['item'][] = $ftp_default_server_engine; + $ftp_server_engine = ""; + + foreach ($snortcfg['ftp_server_engine']['item'] as $f => $v) { + $buffer = "preprocessor ftp_telnet_protocol: ftp server "; + if ($v['name'] == "default" && $v['bind_to'] == "all") + $buffer .= "default \\\n"; + elseif (is_alias($v['bind_to'])) { + $tmp = trim(filter_expand_alias($v['bind_to'])); + if (!empty($tmp)) { + $tmp = preg_replace('/\s+/', ' ', $tmp); + $buffer .= "{$tmp} \\\n"; + } + else { + log_error("[snort] ERROR: unable to resolve IP Address Alias '{$v['bind_to']}' for FTP server '{$v['name']}' ... skipping entry."); + continue; + } + } + else { + log_error("[snort] ERROR: unable to resolve IP Address Alias '{$v['bind_to']}' for FTP server '{$v['name']}' ... skipping entry."); + continue; + } + + if ($v['def_max_param_len'] == "") + $buffer .= "\tdef_max_param_len 100 \\\n"; + elseif ($v['def_max_param_len'] <> '0') + $buffer .= "\tdef_max_param_len {$v['def_max_param_len']} \\\n"; + + if ($v['ports'] == "default" || !is_alias($v['ports']) || empty($v['ports'])) + $buffer .= "\tports { {$ftp_ports} } \\\n"; + elseif (is_alias($v['ports'])) { + $tmp = trim(filter_expand_alias($v['ports'])); + if (!empty($tmp)) { + $tmp = preg_replace('/\s+/', ' ', $tmp); + $tmp = snort_expand_port_range($tmp, ' '); + $buffer .= "\tports { {$tmp} } \\\n"; + } + else { + log_error("[snort] ERROR: unable to resolve Port Alias '{$v['ports']}' for FTP server '{$v['name']}' ... reverting to defaults."); + $buffer .= "\tports { {$ftp_ports} } \\\n"; + } + } + + $buffer .= "\ttelnet_cmds {$v['telnet_cmds']} \\\n"; + $buffer .= "\tignore_telnet_erase_cmds {$v['ignore_telnet_erase_cmds']} \\\n"; + if ($v['ignore_data_chan'] == "yes") + $buffer .= "\tignore_data_chan yes \\\n"; + $buffer .= "{$ftp_cmds}\n"; + + // Add this FTP server engine to the master string + $ftp_server_engine .= $buffer; + } + // Remove trailing newlines + rtrim($ftp_server_engine); + + $ftp_preprocessor = << "\$HOME_NET", "smtp_servers" => "\$HOME_NET", "http_servers" => "\$HOME_NET", + "www_servers" => "\$HOME_NET", "sql_servers" => "\$HOME_NET", "telnet_servers" => "\$HOME_NET", + "snmp_servers" => "\$HOME_NET", "ftp_servers" => "\$HOME_NET", "ssh_servers" => "\$HOME_NET", + "pop_servers" => "\$HOME_NET", "imap_servers" => "\$HOME_NET", "sip_proxy_ip" => "\$HOME_NET", + "sip_servers" => "\$HOME_NET", "rpc_servers" => "\$HOME_NET", "dnp3_server" => "\$HOME_NET", + "dnp3_client" => "\$HOME_NET", "modbus_server" => "\$HOME_NET", "modbus_client" => "\$HOME_NET", + "enip_server" => "\$HOME_NET", "enip_client" => "\$HOME_NET", + "aim_servers" => "64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24" + ); + + // Change old name from "var" to new name of "ipvar" for IP variables because + // Snort is deprecating the old "var" name in newer versions. + $ipvardef = ""; + foreach ($snort_servers as $alias => $avalue) { + if (!empty($snortcfg["def_{$alias}"]) && is_alias($snortcfg["def_{$alias}"])) { + $avalue = trim(filter_expand_alias($snortcfg["def_{$alias}"])); + $avalue = preg_replace('/\s+/', ',', trim($avalue)); + } + $ipvardef .= "ipvar " . strtoupper($alias) . " [{$avalue}]\n"; + } + + $snort_preproc_libs = array( + "dce_rpc_2" => "dce2_preproc", "dns_preprocessor" => "dns_preproc", "ftp_preprocessor" => "ftptelnet_preproc", "imap_preproc" => "imap_preproc", + "pop_preproc" => "pop_preproc", "reputation_preproc" => "reputation_preproc", "sensitive_data" => "sdf_preproc", + "sip_preproc" => "sip_preproc", "gtp_preproc" => "gtp_preproc", "smtp_preprocessor" => "smtp_preproc", "ssh_preproc" => "ssh_preproc", + "ssl_preproc" => "ssl_preproc", "dnp3_preproc" => "dnp3_preproc", "modbus_preproc" => "modbus_preproc" + ); + $snort_preproc = array ( + "perform_stat", "other_preprocs", "ftp_preprocessor", "smtp_preprocessor", "ssl_preproc", "sip_preproc", "gtp_preproc", "ssh_preproc", + "sf_portscan", "dce_rpc_2", "dns_preprocessor", "sensitive_data", "pop_preproc", "imap_preproc", "dnp3_preproc", "modbus_preproc" + ); + $default_disabled_preprocs = array( + "sf_portscan", "gtp_preproc", "sensitive_data", "dnp3_preproc", "modbus_preproc" + ); + $snort_preprocessors = ""; + foreach ($snort_preproc as $preproc) { + if ($snortcfg[$preproc] == 'on' || empty($snortcfg[$preproc]) ) { + + /* If preprocessor is not explicitly "on" or "off", then default to "off" if in our default disabled list */ + if (empty($snortcfg[$preproc]) && in_array($preproc, $default_disabled_preprocs)) + continue; + + /* NOTE: The $$ is not a bug. It is an advanced feature of php */ + if (!empty($snort_preproc_libs[$preproc])) { + $preproclib = "libsf_" . $snort_preproc_libs[$preproc]; + if (!file_exists($snort_dirs['dynamicpreprocessor'] . "{$preproclib}.so")) { + if (file_exists("{$snortlibdir}/dynamicpreprocessor/{$preproclib}.so")) { + @copy("{$snortlibdir}/dynamicpreprocessor/{$preproclib}.so", "{$snort_dirs['dynamicpreprocessor']}/{$preproclib}.so"); + $snort_preprocessors .= $$preproc; + $snort_preprocessors .= "\n"; + } else + log_error("Could not find the {$preproclib} file. Snort might error out!"); + } else { + $snort_preprocessors .= $$preproc; + $snort_preprocessors .= "\n"; + } + } else { + $snort_preprocessors .= $$preproc; + $snort_preprocessors .= "\n"; + } + } + } + // Remove final trailing newline + $snort_preprocessors = rtrim($snort_preprocessors); + + $snort_misc_include_rules = ""; + if (file_exists("{$snortcfgdir}/reference.config")) + $snort_misc_include_rules .= "include {$snortcfgdir}/reference.config\n"; + if (file_exists("{$snortcfgdir}/classification.config")) + $snort_misc_include_rules .= "include {$snortcfgdir}/classification.config\n"; + if (is_dir("{$snortcfgdir}/preproc_rules")) { + if ($snortcfg['sensitive_data'] == 'on' && $protect_preproc_rules == "off") { + $sedcmd = '/^#alert.*classtype:sdf/s/^#//'; + if (file_exists("{$snortcfgdir}/preproc_rules/sensitive-data.rules")) + $snort_misc_include_rules .= "include \$PREPROC_RULE_PATH/sensitive-data.rules\n"; + } else + $sedcmd = '/^alert.*classtype:sdf/s/^/#/'; + if (file_exists("{$snortcfgdir}/preproc_rules/decoder.rules") && + file_exists("{$snortcfgdir}/preproc_rules/preprocessor.rules") && $protect_preproc_rules == "off") { + @file_put_contents("{$g['tmp_path']}/sedcmd", $sedcmd); + mwexec("/usr/bin/sed -I '' -f {$g['tmp_path']}/sedcmd {$snortcfgdir}/preproc_rules/preprocessor.rules"); + mwexec("/usr/bin/sed -I '' -f {$g['tmp_path']}/sedcmd {$snortcfgdir}/preproc_rules/decoder.rules"); + @unlink("{$g['tmp_path']}/sedcmd"); + $snort_misc_include_rules .= "include \$PREPROC_RULE_PATH/decoder.rules\n"; + $snort_misc_include_rules .= "include \$PREPROC_RULE_PATH/preprocessor.rules\n"; + } else if (file_exists("{$snortcfgdir}/preproc_rules/decoder.rules") && + file_exists("{$snortcfgdir}/preproc_rules/preprocessor.rules") && $protect_preproc_rules == "on") { + $snort_misc_include_rules .= "include \$PREPROC_RULE_PATH/decoder.rules\n"; + $snort_misc_include_rules .= "include \$PREPROC_RULE_PATH/preprocessor.rules\n"; + } + else { + $snort_misc_include_rules .= "config autogenerate_preprocessor_decoder_rules\n"; + log_error("[Snort] Seems preprocessor/decoder rules are missing, enabling autogeneration of them"); + } + } else { + $snort_misc_include_rules .= "config autogenerate_preprocessor_decoder_rules\n"; + log_error("[Snort] Seems preprocessor/decoder rules are missing, enabling autogeneration of them"); + } + + /* generate rule sections to load */ + /* The files are always configured so the update process is easier */ + $selected_rules_sections = "include \$RULE_PATH/{$snort_enforcing_rules_file}\n"; + $selected_rules_sections .= "include \$RULE_PATH/{$flowbit_rules_file}\n"; + $selected_rules_sections .= "include \$RULE_PATH/custom.rules\n"; + + // Remove trailing newlines + $snort_misc_include_rules = rtrim($snort_misc_include_rules); + $selected_rules_sections = rtrim($selected_rules_sections); + + /* Create the actual rules files and save in the interface directory */ + snort_prepare_rule_files($snortcfg, $snortcfgdir); + + $cksumcheck = "all"; + if ($snortcfg['cksumcheck'] == 'on') + $cksumcheck = "none"; + + /* Pull in user-configurable detection config options */ + $cfg_detect_settings = "search-method {$snort_performance} max-pattern-len 20 max_queue_events 5"; + if ($snortcfg['fpm_split_any_any'] == "on") + $cfg_detect_settings .= " split-any-any"; + if ($snortcfg['fpm_search_optimize'] == "on") + $cfg_detect_settings .= " search-optimize"; + if ($snortcfg['fpm_no_stream_inserts'] == "on") + $cfg_detect_settings .= " no_stream_inserts"; + + /* Pull in user-configurable options for Frag3 preprocessor settings */ + /* Get global Frag3 options first and put into a string */ + $frag3_global = "preprocessor frag3_global: "; + if (!empty($snortcfg['frag3_memcap']) || $snortcfg['frag3_memcap'] == "0") + $frag3_global .= "memcap {$snortcfg['frag3_memcap']}, "; + else + $frag3_global .= "memcap 4194304, "; + if (!empty($snortcfg['frag3_max_frags'])) + $frag3_global .= "max_frags {$snortcfg['frag3_max_frags']}"; + else + $frag3_global .= "max_frags 8192"; + if ($snortcfg['frag3_detection'] == "off") + $frag3_global .= ", disabled"; + + $frag3_default_tcp_engine = array( "name" => "default", "bind_to" => "all", "policy" => "bsd", + "timeout" => 60, "min_ttl" => 1, "detect_anomalies" => "on", + "overlap_limit" => 0, "min_frag_len" => 0 ); + $frag3_engine = ""; + + // Now iterate configured Frag3 engines and write them to a string if enabled + if ($snortcfg['frag3_detection'] == "on") { + if (!is_array($snortcfg['frag3_engine']['item'])) + $snortcfg['frag3_engine']['item'] = array(); + + // If no frag3 tcp engine is configured, use the default + if (empty($snortcfg['frag3_engine']['item'])) + $snortcfg['frag3_engine']['item'][] = $frag3_default_tcp_engine; + + foreach ($snortcfg['frag3_engine']['item'] as $f => $v) { + $frag3_engine .= "preprocessor frag3_engine: "; + $frag3_engine .= "policy {$v['policy']}"; + if ($v['bind_to'] <> "all") { + $tmp = trim(filter_expand_alias($v['bind_to'])); + if (!empty($tmp)) { + $tmp = preg_replace('/\s+/', ',', $tmp); + if (strpos($tmp, ",") !== false) + $frag3_engine .= " \\\n\tbind_to [{$tmp}]"; + else + $frag3_engine .= " \\\n\tbind_to {$tmp}"; + } + else + log_error("[snort] WARNING: unable to resolve IP List Alias '{$v['bind_to']}' for Frag3 engine '{$v['name']}' ... using 0.0.0.0 failsafe."); + } + $frag3_engine .= " \\\n\ttimeout {$v['timeout']}"; + $frag3_engine .= " \\\n\tmin_ttl {$v['min_ttl']}"; + if ($v['detect_anomalies'] == "on") { + $frag3_engine .= " \\\n\tdetect_anomalies"; + $frag3_engine .= " \\\n\toverlap_limit {$v['overlap_limit']}"; + $frag3_engine .= " \\\n\tmin_fragment_length {$v['min_frag_len']}"; + } + // Add newlines to terminate this engine + $frag3_engine .= "\n\n"; + } + // Remove trailing newline + $frag3_engine = rtrim($frag3_engine); + } + + // Grab any user-customized value for Protocol Aware Flushing (PAF) max PDUs + $paf_max_pdu_config = "config paf_max: "; + if (empty($snortcfg['max_paf']) || $snortcfg['max_paf'] == '0') + $paf_max_pdu_config .= "0"; + else + $paf_max_pdu_config .= $snortcfg['max_paf']; + + // Pull in user-configurable options for Stream5 preprocessor settings + // Get global options first and put into a string + $stream5_global = "preprocessor stream5_global: \\\n"; + if ($snortcfg['stream5_reassembly'] == "off") + $stream5_global .= "\tdisabled, \\\n"; + if ($snortcfg['stream5_track_tcp'] == "off") + $stream5_global .= "\ttrack_tcp no,"; + else { + $stream5_global .= "\ttrack_tcp yes,"; + if (!empty($snortcfg['stream5_max_tcp'])) + $stream5_global .= " \\\n\tmax_tcp {$snortcfg['stream5_max_tcp']},"; + else + $stream5_global .= " \\\n\tmax_tcp 262144,"; + } + if ($snortcfg['stream5_track_udp'] == "off") + $stream5_global .= " \\\n\ttrack_udp no,"; + else { + $stream5_global .= " \\\n\ttrack_udp yes,"; + if (!empty($snortcfg['stream5_max_udp'])) + $stream5_global .= " \\\n\tmax_udp {$snortcfg['stream5_max_udp']},"; + else + $stream5_global .= " \\\n\tmax_udp 131072,"; + } + if ($snortcfg['stream5_track_icmp'] == "on") { + $stream5_global .= " \\\n\ttrack_icmp yes,"; + if (!empty($snortcfg['stream5_max_icmp'])) + $stream5_global .= " \\\n\tmax_icmp {$snortcfg['stream5_max_icmp']},"; + else + $stream5_global .= " \\\n\tmax_icmp 65536,"; + } + else + $stream5_global .= " \\\n\ttrack_icmp no,"; + if (!empty($snortcfg['stream5_mem_cap'])) + $stream5_global .= " \\\n\tmemcap {$snortcfg['stream5_mem_cap']},"; + else + $stream5_global .= " \\\n\tmemcap 8388608,"; + + if (!empty($snortcfg['stream5_prune_log_max']) || $snortcfg['stream5_prune_log_max'] == '0') + $stream5_global .= " \\\n\tprune_log_max {$snortcfg['stream5_prune_log_max']}"; + else + $stream5_global .= " \\\n\tprune_log_max 1048576"; + if ($snortcfg['stream5_flush_on_alert'] == "on") + $stream5_global .= ", \\\n\tflush_on_alert"; + + $stream5_default_tcp_engine = array( "name" => "default", "bind_to" => "all", "policy" => "bsd", "timeout" => 30, + "max_queued_bytes" => 1048576, "detect_anomalies" => "off", "overlap_limit" => 0, + "max_queued_segs" => 2621, "require_3whs" => "off", "startup_3whs_timeout" => 0, + "no_reassemble_async" => "off", "dont_store_lg_pkts" => "off", "max_window" => 0, + "use_static_footprint_sizes" => "off", "check_session_hijacking" => "off", "ports_client" => "default", + "ports_both" => "default", "ports_server" => "none" ); + $stream5_tcp_engine = ""; + + // Now iterate configured Stream5 TCP engines and write them to a string if enabled + if ($snortcfg['stream5_reassembly'] == "on") { + if (!is_array($snortcfg['stream5_tcp_engine']['item'])) + $snortcfg['stream5_tcp_engine']['item'] = array(); + + // If no stream5 tcp engine is configured, use the default + if (empty($snortcfg['stream5_tcp_engine']['item'])) + $snortcfg['stream5_tcp_engine']['item'][] = $stream5_default_tcp_engine; + + foreach ($snortcfg['stream5_tcp_engine']['item'] as $f => $v) { + $buffer = "preprocessor stream5_tcp: "; + $buffer .= "policy {$v['policy']},"; + if ($v['bind_to'] <> "all") { + $tmp = trim(filter_expand_alias($v['bind_to'])); + if (!empty($tmp)) { + $tmp = preg_replace('/\s+/', ',', $tmp); + if (strpos($tmp, ",") !== false) + $buffer .= " \\\n\tbind_to [{$tmp}],"; + else + $buffer .= " \\\n\tbind_to {$tmp},"; + } + else { + log_error("[snort] WARNING: unable to resolve IP Address Alias [{$v['bind_to']}] for Stream5 TCP engine '{$v['name']}' ... skipping this engine."); + continue; + } + } + $stream5_tcp_engine .= $buffer; + $stream5_tcp_engine .= " \\\n\ttimeout {$v['timeout']},"; + $stream5_tcp_engine .= " \\\n\toverlap_limit {$v['overlap_limit']},"; + $stream5_tcp_engine .= " \\\n\tmax_window {$v['max_window']},"; + $stream5_tcp_engine .= " \\\n\tmax_queued_bytes {$v['max_queued_bytes']},"; + $stream5_tcp_engine .= " \\\n\tmax_queued_segs {$v['max_queued_segs']}"; + if ($v['use_static_footprint_sizes'] == "on") + $stream5_tcp_engine .= ", \\\n\tuse_static_footprint_sizes"; + if ($v['check_session_hijacking'] == "on") + $stream5_tcp_engine .= ", \\\n\tcheck_session_hijacking"; + if ($v['dont_store_lg_pkts'] == "on") + $stream5_tcp_engine .= ", \\\n\tdont_store_large_packets"; + if ($v['no_reassemble_async'] == "on") + $stream5_tcp_engine .= ", \\\n\tdont_reassemble_async"; + if ($v['detect_anomalies'] == "on") + $stream5_tcp_engine .= ", \\\n\tdetect_anomalies"; + if ($v['require_3whs'] == "on") + $stream5_tcp_engine .= ", \\\n\trequire_3whs {$v['startup_3whs_timeout']}"; + if (!empty($v['ports_client'])) { + $stream5_tcp_engine .= ", \\\n\tports client"; + if ($v['ports_client'] == " all") + $stream5_tcp_engine .= " all"; + elseif ($v['ports_client'] == "default") + $stream5_tcp_engine .= " {$stream5_ports_client}"; + else { + $tmp = trim(filter_expand_alias($v['ports_client'])); + if (!empty($tmp)) + $stream5_tcp_engine .= " " . trim(preg_replace('/\s+/', ' ', $tmp)); + else { + $stream5_tcp_engine .= " {$stream5_ports_client}"; + log_error("[snort] WARNING: unable to resolve Ports Client Alias [{$v['ports_client']}] for Stream5 TCP engine '{$v['name']}' ... using default value."); + } + } + } + if (!empty($v['ports_both'])) { + $stream5_tcp_engine .= ", \\\n\tports both"; + if ($v['ports_both'] == " all") + $stream5_tcp_engine .= " all"; + elseif ($v['ports_both'] == "default") + $stream5_tcp_engine .= " {$stream5_ports_both}"; + else { + $tmp = trim(filter_expand_alias($v['ports_both'])); + if (!empty($tmp)) + $stream5_tcp_engine .= " " . trim(preg_replace('/\s+/', ' ', $tmp)); + else { + $stream5_tcp_engine .= " {$stream5_ports_both}"; + log_error("[snort] WARNING: unable to resolve Ports Both Alias [{$v['ports_both']}] for Stream5 TCP engine '{$v['name']}' ... using default value."); + } + } + } + if (!empty($v['ports_server']) && $v['ports_server'] <> "none" && $v['ports_server'] <> "default") { + if ($v['ports_server'] == " all") { + $stream5_tcp_engine .= ", \\\n\tports server"; + $stream5_tcp_engine .= " all"; + } + else { + $tmp = trim(filter_expand_alias($v['ports_server'])); + if (!empty($tmp)) { + $stream5_tcp_engine .= ", \\\n\tports server"; + $stream5_tcp_engine .= " " . trim(preg_replace('/\s+/', ' ', $tmp)); + } + else + log_error("[snort] WARNING: unable to resolve Ports Server Alias [{$v['ports_server']}] for Stream5 TCP engine '{$v['name']}' ... defaulting to none."); + } + } + + // Make sure the "ports" parameter is set, or else default to a safe value + if (strpos($stream5_tcp_engine, "ports ") === false) + $stream5_tcp_engine .= ", \\\n\tports both all"; + + // Add a pair of newlines to terminate this engine + $stream5_tcp_engine .= "\n\n"; + } + // Trim off the final trailing newline + $stream5_tcp_engine = rtrim($stream5_tcp_engine); + } + + // Configure the Stream5 UDP engine if it and Stream5 reassembly are enabled + if ($snortcfg['stream5_track_udp'] == "off" || $snortcfg['stream5_reassembly'] == "off") + $stream5_udp_engine = ""; + else { + $stream5_udp_engine = "preprocessor stream5_udp: "; + if (!empty($snortcfg['stream5_udp_timeout'])) + $stream5_udp_engine .= "timeout {$snortcfg['stream5_udp_timeout']}"; + else + $stream5_udp_engine .= "timeout 30"; + } + + // Configure the Stream5 ICMP engine if it and Stream5 reassembly are enabled + if ($snortcfg['stream5_track_icmp'] == "on" && $snortcfg['stream5_reassembly'] == "on") { + $stream5_icmp_engine = "preprocessor stream5_icmp: "; + if (!empty($snortcfg['stream5_icmp_timeout'])) + $stream5_icmp_engine .= "timeout {$snortcfg['stream5_icmp_timeout']}"; + else + $stream5_icmp_engine .= "timeout 30"; + } + else + $stream5_icmp_engine = ""; + + // Check for and configure Host Attribute Table if enabled + $host_attrib_config = ""; + if ($snortcfg['host_attribute_table'] == "on" && !empty($snortcfg['host_attribute_data'])) { + file_put_contents("{$snortcfgdir}/host_attributes", base64_decode($snortcfg['host_attribute_data'])); + $host_attrib_config = "# Host Attribute Table #\n"; + $host_attrib_config .= "attribute_table filename {$snortcfgdir}/host_attributes\n"; + if (!empty($snortcfg['max_attribute_hosts'])) + $host_attrib_config .= "config max_attribute_hosts: {$snortcfg['max_attribute_hosts']}\n"; + if (!empty($snortcfg['max_attribute_services_per_host'])) + $host_attrib_config .= "config max_attribute_services_per_host: {$snortcfg['max_attribute_services_per_host']}"; + } + + // Configure the HTTP_INSPECT preprocessor + // Get global options first and put into a string + $http_inspect_global = "preprocessor http_inspect: global "; + if ($snortcfg['http_inspect'] == "off") + $http_inspect_global .= "disabled "; + $http_inspect_global .= "\\\n\tiis_unicode_map unicode.map 1252 \\\n"; + $http_inspect_global .= "\tcompress_depth 65535 \\\n"; + $http_inspect_global .= "\tdecompress_depth 65535 \\\n"; + if (!empty($snortcfg['http_inspect_memcap'])) + $http_inspect_global .= "\tmemcap {$snortcfg['http_inspect_memcap']} \\\n"; + else + $http_inspect_global .= "\tmemcap 150994944 \\\n"; + if (!empty($snortcfg['http_inspect_max_gzip_mem'])) + $http_inspect_global .= "\tmax_gzip_mem {$snortcfg['http_inspect_max_gzip_mem']}"; + else + $http_inspect_global .= "\tmax_gzip_mem 838860"; + if ($snortcfg['http_inspect_proxy_alert'] == "on") + $http_inspect_global .= " \\\n\tproxy_alert"; + + $http_inspect_default_engine = array( "name" => "default", "bind_to" => "all", "server_profile" => "all", "enable_xff" => "off", + "log_uri" => "off", "log_hostname" => "off", "server_flow_depth" => 65535, "enable_cookie" => "on", + "client_flow_depth" => 1460, "extended_response_inspection" => "on", "no_alerts" => "off", + "unlimited_decompress" => "on", "inspect_gzip" => "on", "normalize_cookies" =>"on", "normalize_headers" => "on", + "normalize_utf" => "on", "normalize_javascript" => "on", "allow_proxy_use" => "off", "inspect_uri_only" => "off", + "max_javascript_whitespaces" => 200, "post_depth" => -1, "max_headers" => 0, "max_spaces" => 0, + "max_header_length" => 0, "ports" => "default" ); + $http_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['http_ports'])); + $http_inspect_servers = ""; + + // Iterate configured HTTP_INSPECT servers and write them to string if HTTP_INSPECT enabled + if ($snortcfg['http_inspect'] <> "off") { + if (!is_array($snortcfg['http_inspect_engine']['item'])) + $snortcfg['http_inspect_engine']['item'] = array(); + + // If no http_inspect_engine is configured, use the default + if (empty($snortcfg['http_inspect_engine']['item'])) + $snortcfg['http_inspect_engine']['item'][] = $http_inspect_default_engine; + + foreach ($snortcfg['http_inspect_engine']['item'] as $f => $v) { + $buffer = "preprocessor http_inspect_server: \\\n"; + if ($v['name'] == "default") + $buffer .= "\tserver default \\\n"; + elseif (is_alias($v['bind_to'])) { + $tmp = trim(filter_expand_alias($v['bind_to'])); + if (!empty($tmp)) { + $tmp = preg_replace('/\s+/', ' ', $tmp); + $buffer .= "\tserver { {$tmp} } \\\n"; + } + else { + log_error("[snort] WARNING: unable to resolve IP Address Alias [{$v['bind_to']}] for HTTP_INSPECT server '{$v['name']}' ... skipping this server engine."); + continue; + } + } + else { + log_error("[snort] WARNING: unable to resolve IP Address Alias [{$v['bind_to']}] for HTTP_INSPECT server '{$v['name']}' ... skipping this server engine."); + continue; + } + $http_inspect_servers .= $buffer; + $http_inspect_servers .= "\tprofile {$v['server_profile']} \\\n"; + + if ($v['no_alerts'] == "on") + $http_inspect_servers .= "\tno_alerts \\\n"; + + if ($v['ports'] == "default" || empty($v['ports'])) + $http_inspect_servers .= "\tports { {$http_ports} } \\\n"; + elseif (is_alias($v['ports'])) { + $tmp = trim(filter_expand_alias($v['ports'])); + if (!empty($tmp)) { + $tmp = preg_replace('/\s+/', ' ', $tmp); + $tmp = snort_expand_port_range($tmp, ' '); + $http_inspect_servers .= "\tports { {$tmp} } \\\n"; + } + else { + log_error("[snort] WARNING: unable to resolve Ports Alias [{$v['ports']}] for HTTP_INSPECT server '{$v['name']}' ... using safe default instead."); + $http_inspect_servers .= "\tports { {$http_ports} } \\\n"; + } + } + else { + log_error("[snort] WARNING: unable to resolve Ports Alias [{$v['ports']}] for HTTP_INSPECT server '{$v['name']}' ... using safe default instead."); + $http_inspect_servers .= "\tports { {$http_ports} } \\\n"; + } + + $http_inspect_servers .= "\tserver_flow_depth {$v['server_flow_depth']} \\\n"; + $http_inspect_servers .= "\tclient_flow_depth {$v['client_flow_depth']} \\\n"; + $http_inspect_servers .= "\thttp_methods { GET POST PUT SEARCH MKCOL COPY MOVE LOCK UNLOCK NOTIFY POLL BCOPY BDELETE BMOVE LINK UNLINK OPTIONS HEAD DELETE TRACE TRACK CONNECT SOURCE SUBSCRIBE UNSUBSCRIBE PROPFIND PROPPATCH BPROPFIND BPROPPATCH RPC_CONNECT PROXY_SUCCESS BITS_POST CCM_POST SMS_POST RPC_IN_DATA RPC_OUT_DATA RPC_ECHO_DATA } \\\n"; + $http_inspect_servers .= "\tpost_depth {$v['post_depth']} \\\n"; + $http_inspect_servers .= "\tmax_headers {$v['max_headers']} \\\n"; + $http_inspect_servers .= "\tmax_header_length {$v['max_header_length']} \\\n"; + $http_inspect_servers .= "\tmax_spaces {$v['max_spaces']}"; + if ($v['enable_xff'] == "on") + $http_inspect_servers .= " \\\n\tenable_xff"; + if ($v['enable_cookie'] == "on") + $http_inspect_servers .= " \\\n\tenable_cookie"; + if ($v['normalize_cookies'] == "on") + $http_inspect_servers .= " \\\n\tnormalize_cookies"; + if ($v['normalize_headers'] == "on") + $http_inspect_servers .= " \\\n\tnormalize_headers"; + if ($v['normalize_utf'] == "on") + $http_inspect_servers .= " \\\n\tnormalize_utf"; + if ($v['allow_proxy_use'] == "on") + $http_inspect_servers .= " \\\n\tallow_proxy_use"; + if ($v['inspect_uri_only'] == "on") + $http_inspect_servers .= " \\\n\tinspect_uri_only"; + if ($v['extended_response_inspection'] == "on") { + $http_inspect_servers .= " \\\n\textended_response_inspection"; + if ($v['inspect_gzip'] == "on") { + $http_inspect_servers .= " \\\n\tinspect_gzip"; + if ($v['unlimited_decompress'] == "on") + $http_inspect_servers .= " \\\n\tunlimited_decompress"; + } + if ($v['normalize_javascript'] == "on") { + $http_inspect_servers .= " \\\n\tnormalize_javascript"; + $http_inspect_servers .= " \\\n\tmax_javascript_whitespaces {$v['max_javascript_whitespaces']}"; + } + } + if ($v['log_uri'] == "on") + $http_inspect_servers .= " \\\n\tlog_uri"; + if ($v['log_hostname'] == "on") + $http_inspect_servers .= " \\\n\tlog_hostname"; + + // Add a pair of trailing newlines to terminate this server config + $http_inspect_servers .= "\n\n"; + } + /* Trim off the final trailing newline */ + $http_inspect_server = rtrim($http_inspect_server); + } + + // Finally, build the Snort configuration file + $snort_conf_text = << "console") + $snort_gui_include = true; + include "/usr/local/pkg/snort/snort_check_for_rule_updates.php"; + update_status(gettext("Generating snort.conf configuration file from saved settings...")); + $rebuild_rules = true; + + /* Create the snort.conf files for each enabled interface */ + $snortconf = $config['installedpackages']['snortglobal']['rule']; + foreach ($snortconf as $value) { + $if_real = snort_get_real_interface($value['interface']); + + /* create a snort.conf file for interface */ + snort_build_new_conf($value); + + /* create barnyard2.conf file for interface */ + if ($value['barnyard_enable'] == 'on') + snort_create_barnyard2_conf($value, $if_real); + } + + /* create snort bootup file snort.sh */ + snort_create_rc(); + + /* Set Log Limit, Block Hosts Time and Rules Update Time */ + snort_snortloglimit_install_cron($config['installedpackages']['snortglobal']['snortloglimit'] == 'on' ? true : false); + snort_rm_blocked_install_cron($config['installedpackages']['snortglobal']['rm_blocked'] != "never_b" ? true : false); + snort_rules_up_install_cron($config['installedpackages']['snortglobal']['autorulesupdate7'] != "never_up" ? true : false); + + /* Add the recurring jobs created above to crontab */ + configure_cron(); + conf_mount_ro(); + + $rebuild_rules = false; + update_output_window(gettext("Finished rebuilding Snort configuration files...")); + log_error(gettext("[Snort] Finished rebuilding installation from saved settings...")); + + /* Only try to start Snort if not in reboot */ + if (!$g['booting']) { + update_status(gettext("Starting Snort using rebuilt configuration...")); + update_output_window(gettext("Please wait... while Snort is started...")); + log_error(gettext("[Snort] Starting Snort using rebuilt configuration...")); + start_service("snort"); + update_output_window(gettext("Snort has been started using the rebuilt configuration...")); + } +} + +/* Done with post-install, so clear flag */ +unset($g['snort_postinstall']); +log_error(gettext("[Snort] Package post-installation tasks completed...")); +return true; + +?> diff --git a/config/snort/snort_preprocessors.php b/config/snort/snort_preprocessors.php index 95d5a10e..98a0b106 100755 --- a/config/snort/snort_preprocessors.php +++ b/config/snort/snort_preprocessors.php @@ -37,16 +37,6 @@ require_once("/usr/local/pkg/snort/snort.inc"); global $g, $rebuild_rules; $snortlogdir = SNORTLOGDIR; -if (!is_array($config['installedpackages']['snortglobal'])) { - $config['installedpackages']['snortglobal'] = array(); -} -$vrt_enabled = $config['installedpackages']['snortglobal']['snortdownload']; - -if (!is_array($config['installedpackages']['snortglobal']['rule'])) { - $config['installedpackages']['snortglobal']['rule'] = array(); -} -$a_nat = &$config['installedpackages']['snortglobal']['rule']; - $id = $_GET['id']; if (isset($_POST['id'])) $id = $_POST['id']; @@ -55,6 +45,32 @@ if (is_null($id)) { exit; } +if (!is_array($config['installedpackages']['snortglobal'])) + $config['installedpackages']['snortglobal'] = array(); +if (!is_array($config['installedpackages']['snortglobal']['rule'])) + $config['installedpackages']['snortglobal']['rule'] = array(); + +// Initialize multiple config engine arrays for supported preprocessors if necessary +if (!is_array($config['installedpackages']['snortglobal']['rule'][$id]['frag3_engine']['item'])) + $config['installedpackages']['snortglobal']['rule'][$id]['frag3_engine']['item'] = array(); +if (!is_array($config['installedpackages']['snortglobal']['rule'][$id]['stream5_tcp_engine']['item'])) + $config['installedpackages']['snortglobal']['rule'][$id]['stream5_tcp_engine']['item'] = array(); +if (!is_array($config['installedpackages']['snortglobal']['rule'][$id]['http_inspect_engine']['item'])) + $config['installedpackages']['snortglobal']['rule'][$id]['http_inspect_engine']['item'] = array(); +if (!is_array($config['installedpackages']['snortglobal']['rule'][$id]['ftp_server_engine']['item'])) + $config['installedpackages']['snortglobal']['rule'][$id]['ftp_server_engine']['item'] = array(); +if (!is_array($config['installedpackages']['snortglobal']['rule'][$id]['ftp_client_engine']['item'])) + $config['installedpackages']['snortglobal']['rule'][$id]['ftp_client_engine']['item'] = array(); + +$a_nat = &$config['installedpackages']['snortglobal']['rule']; + +$vrt_enabled = $config['installedpackages']['snortglobal']['snortdownload']; +$frag3_engine_next_id = count($a_nat[$id]['frag3_engine']['item']); +$stream5_tcp_engine_next_id = count($a_nat[$id]['stream5_tcp_engine']['item']); +$http_inspect_engine_next_id = count($a_nat[$id]['http_inspect_engine']['item']); +$ftp_server_engine_next_id = count($a_nat[$id]['ftp_server_engine']['item']); +$ftp_client_engine_next_id = count($a_nat[$id]['ftp_client_engine']['item']); + $pconfig = array(); if (isset($id) && $a_nat[$id]) { $pconfig = $a_nat[$id]; @@ -66,32 +82,14 @@ if (isset($id) && $a_nat[$id]) { $pconfig['max_attribute_hosts'] = $a_nat[$id]['max_attribute_hosts']; $pconfig['max_attribute_services_per_host'] = $a_nat[$id]['max_attribute_services_per_host']; $pconfig['max_paf'] = $a_nat[$id]['max_paf']; - $pconfig['server_flow_depth'] = $a_nat[$id]['server_flow_depth']; - $pconfig['http_server_profile'] = $a_nat[$id]['http_server_profile']; - $pconfig['client_flow_depth'] = $a_nat[$id]['client_flow_depth']; - $pconfig['stream5_reassembly'] = $a_nat[$id]['stream5_reassembly']; - $pconfig['stream5_require_3whs'] = $a_nat[$id]['stream5_require_3whs']; - $pconfig['stream5_track_tcp'] = $a_nat[$id]['stream5_track_tcp']; - $pconfig['stream5_track_udp'] = $a_nat[$id]['stream5_track_udp']; - $pconfig['stream5_track_icmp'] = $a_nat[$id]['stream5_track_icmp']; - $pconfig['max_queued_bytes'] = $a_nat[$id]['max_queued_bytes']; - $pconfig['max_queued_segs'] = $a_nat[$id]['max_queued_segs']; - $pconfig['stream5_overlap_limit'] = $a_nat[$id]['stream5_overlap_limit']; - $pconfig['stream5_policy'] = $a_nat[$id]['stream5_policy']; - $pconfig['stream5_mem_cap'] = $a_nat[$id]['stream5_mem_cap']; - $pconfig['stream5_tcp_timeout'] = $a_nat[$id]['stream5_tcp_timeout']; - $pconfig['stream5_udp_timeout'] = $a_nat[$id]['stream5_udp_timeout']; - $pconfig['stream5_icmp_timeout'] = $a_nat[$id]['stream5_icmp_timeout']; - $pconfig['stream5_no_reassemble_async'] = $a_nat[$id]['stream5_no_reassemble_async']; - $pconfig['stream5_dont_store_lg_pkts'] = $a_nat[$id]['stream5_dont_store_lg_pkts']; - $pconfig['http_inspect'] = $a_nat[$id]['http_inspect']; - $pconfig['http_inspect_memcap'] = $a_nat[$id]['http_inspect_memcap']; - $pconfig['http_inspect_enable_xff'] = $a_nat[$id]['http_inspect_enable_xff']; - $pconfig['http_inspect_log_uri'] = $a_nat[$id]['http_inspect_log_uri']; - $pconfig['http_inspect_log_hostname'] = $a_nat[$id]['http_inspect_log_hostname']; - $pconfig['noalert_http_inspect'] = $a_nat[$id]['noalert_http_inspect']; $pconfig['other_preprocs'] = $a_nat[$id]['other_preprocs']; $pconfig['ftp_preprocessor'] = $a_nat[$id]['ftp_preprocessor']; + $pconfig['ftp_telnet_inspection_type'] = $a_nat[$id]['ftp_telnet_inspection_type']; + $pconfig['ftp_telnet_alert_encrypted'] = $a_nat[$id]['ftp_telnet_alert_encrypted']; + $pconfig['ftp_telnet_check_encrypted'] = $a_nat[$id]['ftp_telnet_check_encrypted']; + $pconfig['ftp_telnet_normalize'] = $a_nat[$id]['ftp_telnet_normalize']; + $pconfig['ftp_telnet_detect_anomalies'] = $a_nat[$id]['ftp_telnet_detect_anomalies']; + $pconfig['ftp_telnet_ayt_attack_threshold'] = $a_nat[$id]['ftp_telnet_ayt_attack_threshold']; $pconfig['smtp_preprocessor'] = $a_nat[$id]['smtp_preprocessor']; $pconfig['sf_portscan'] = $a_nat[$id]['sf_portscan']; $pconfig['pscan_protocol'] = $a_nat[$id]['pscan_protocol']; @@ -102,6 +100,8 @@ if (isset($id) && $a_nat[$id]) { $pconfig['dce_rpc_2'] = $a_nat[$id]['dce_rpc_2']; $pconfig['dns_preprocessor'] = $a_nat[$id]['dns_preprocessor']; $pconfig['sensitive_data'] = $a_nat[$id]['sensitive_data']; + $pconfig['sdf_alert_threshold'] = $a_nat[$id]['sdf_alert_threshold']; + $pconfig['sdf_mask_output'] = $a_nat[$id]['sdf_mask_output']; $pconfig['ssl_preproc'] = $a_nat[$id]['ssl_preproc']; $pconfig['pop_preproc'] = $a_nat[$id]['pop_preproc']; $pconfig['imap_preproc'] = $a_nat[$id]['imap_preproc']; @@ -112,13 +112,123 @@ if (isset($id) && $a_nat[$id]) { $pconfig['ssh_preproc'] = $a_nat[$id]['ssh_preproc']; $pconfig['preproc_auto_rule_disable'] = $a_nat[$id]['preproc_auto_rule_disable']; $pconfig['protect_preproc_rules'] = $a_nat[$id]['protect_preproc_rules']; + + // Frag3 global settings $pconfig['frag3_detection'] = $a_nat[$id]['frag3_detection']; - $pconfig['frag3_overlap_limit'] = $a_nat[$id]['frag3_overlap_limit']; - $pconfig['frag3_min_frag_len'] = $a_nat[$id]['frag3_min_frag_len']; - $pconfig['frag3_policy'] = $a_nat[$id]['frag3_policy']; $pconfig['frag3_max_frags'] = $a_nat[$id]['frag3_max_frags']; $pconfig['frag3_memcap'] = $a_nat[$id]['frag3_memcap']; - $pconfig['frag3_timeout'] = $a_nat[$id]['frag3_timeout']; + + // See if new Frag3 engine array is configured and use it; + // otherwise create a default engine configuration. + if (empty($pconfig['frag3_engine']['item'])) { + $default = array( "name" => "default", "bind_to" => "all", "policy" => "bsd", + "timeout" => 60, "min_ttl" => 1, "detect_anomalies" => "on", + "overlap_limit" => 0, "min_frag_len" => 0 ); + $pconfig['frag3_engine']['item'] = array(); + $pconfig['frag3_engine']['item'][] = $default; + if (!is_array($a_nat[$id]['frag3_engine']['item'])) + $a_nat[$id]['frag3_engine']['item'] = array(); + $a_nat[$id]['frag3_engine']['item'][] = $default; + write_config(); + $frag3_engine_next_id++; + } + else + $pconfig['frag3_engine'] = $a_nat[$id]['frag3_engine']; + + // Stream5 global settings + $pconfig['stream5_reassembly'] = $a_nat[$id]['stream5_reassembly']; + $pconfig['stream5_flush_on_alert'] = $a_nat[$id]['stream5_flush_on_alert']; + $pconfig['stream5_prune_log_max'] = $a_nat[$id]['stream5_prune_log_max']; + $pconfig['stream5_mem_cap'] = $a_nat[$id]['stream5_mem_cap']; + $pconfig['stream5_track_tcp'] = $a_nat[$id]['stream5_track_tcp']; + $pconfig['stream5_max_tcp'] = $a_nat[$id]['stream5_max_tcp']; + $pconfig['stream5_track_udp'] = $a_nat[$id]['stream5_track_udp']; + $pconfig['stream5_max_udp'] = $a_nat[$id]['stream5_max_udp']; + $pconfig['stream5_udp_timeout'] = $a_nat[$id]['stream5_udp_timeout']; + $pconfig['stream5_track_icmp'] = $a_nat[$id]['stream5_track_icmp']; + $pconfig['stream5_max_icmp'] = $a_nat[$id]['stream5_max_icmp']; + $pconfig['stream5_icmp_timeout'] = $a_nat[$id]['stream5_icmp_timeout']; + + // See if new Stream5 engine array is configured and use it; + // otherwise create a default engine configuration. + if (empty($pconfig['stream5_tcp_engine']['item'])) { + $default = array( "name" => "default", "bind_to" => "all", "policy" => "bsd", "timeout" => 30, + "max_queued_bytes" => 1048576, "detect_anomalies" => "off", "overlap_limit" => 0, + "max_queued_segs" => 2621, "require_3whs" => "off", "startup_3whs_timeout" => 0, + "no_reassemble_async" => "off", "max_window" => 0, "use_static_footprint_sizes" => "off", + "check_session_hijacking" => "off", "dont_store_lg_pkts" => "off", "ports_client" => "default", + "ports_both" => "default", "ports_server" => "none" ); + $pconfig['stream5_tcp_engine']['item'] = array(); + $pconfig['stream5_tcp_engine']['item'][] = $default; + if (!is_array($a_nat[$id]['stream5_tcp_engine']['item'])) + $a_nat[$id]['stream5_tcp_engine']['item'] = array(); + $a_nat[$id]['stream5_tcp_engine']['item'][] = $default; + write_config(); + $stream5_tcp_engine_next_id++; + } + else + $pconfig['stream5_tcp_engine'] = $a_nat[$id]['stream5_tcp_engine']; + + // HTTP_INSPECT global settings + $pconfig['http_inspect'] = $a_nat[$id]['http_inspect']; + $pconfig['http_inspect_memcap'] = $a_nat[$id]['http_inspect_memcap']; + $pconfig['http_inspect_proxy_alert'] = $a_nat[$id]['http_inspect_proxy_alert']; + $pconfig['http_inspect_max_gzip_mem'] = $a_nat[$id]['http_inspect_max_gzip_mem']; + + // See if new HTTP_INSPECT engine array is configured and use it; + // otherwise create a default engine configuration. + if (empty($pconfig['http_inspect_engine']['item'])) { + $default = array( "name" => "default", "bind_to" => "all", "server_profile" => "all", "enable_xff" => "off", + "log_uri" => "off", "log_hostname" => "off", "server_flow_depth" => 65535, "enable_cookie" => "on", + "client_flow_depth" => 1460, "extended_response_inspection" => "on", "no_alerts" => "off", + "unlimited_decompress" => "on", "inspect_gzip" => "on", "normalize_cookies" =>"on", + "normalize_headers" => "on", "normalize_utf" => "on", "normalize_javascript" => "on", + "allow_proxy_use" => "off", "inspect_uri_only" => "off", "max_javascript_whitespaces" => 200, + "post_depth" => -1, "max_headers" => 0, "max_spaces" => 0, "max_header_length" => 0, "ports" => "default" ); + $pconfig['http_inspect_engine']['item'] = array(); + $pconfig['http_inspect_engine']['item'][] = $default; + if (!is_array($a_nat[$id]['http_inspect_engine']['item'])) + $a_nat[$id]['http_inspect_engine']['item'] = array(); + $a_nat[$id]['http_inspect_engine']['item'][] = $default; + write_config(); + $http_inspect_engine_next_id++; + } + else + $pconfig['http_inspect_engine'] = $a_nat[$id]['http_inspect_engine']; + + // See if new FTP client engine array is configured and use it; + // otherwise create a default engine configuration.. + if (empty($pconfig['ftp_client_engine']['item'])) { + $default = array( "name" => "default", "bind_to" => "all", "max_resp_len" => 256, + "telnet_cmds" => "no", "ignore_telnet_erase_cmds" => "yes", + "bounce" => "yes", "bounce_to_net" => "", "bounce_to_port" => "" ); + $pconfig['ftp_client_engine']['item'] = array(); + $pconfig['ftp_client_engine']['item'][] = $default; + if (!is_array($a_nat[$id]['ftp_client_engine']['item'])) + $a_nat[$id]['ftp_client_engine']['item'] = array(); + $a_nat[$id]['ftp_client_engine']['item'][] = $default; + write_config(); + $ftp_client_engine_next_id++; + } + else + $pconfig['ftp_client_engine'] = $a_nat[$id]['ftp_client_engine']; + + // See if new FTP server engine array is configured and use it; + // otherwise create a default engine configuration.. + if (empty($pconfig['ftp_server_engine']['item'])) { + $default = array( "name" => "default", "bind_to" => "all", "ports" => "default", + "telnet_cmds" => "no", "ignore_telnet_erase_cmds" => "yes", + "ignore_data_chan" => "no", "def_max_param_len" => 100 ); + $pconfig['ftp_server_engine']['item'] = array(); + $pconfig['ftp_server_engine']['item'][] = $default; + if (!is_array($a_nat[$id]['ftp_server_engine']['item'])) + $a_nat[$id]['ftp_server_engine']['item'] = array(); + $a_nat[$id]['ftp_server_engine']['item'][] = $default; + write_config(); + $ftp_server_engine_next_id++; + } + else + $pconfig['ftp_server_engine'] = $a_nat[$id]['ftp_server_engine']; /* If not using the Snort VRT rules, then disable */ /* the Sensitive Data (sdf) preprocessor. */ @@ -134,10 +244,28 @@ if (isset($id) && $a_nat[$id]) { $pconfig['max_attribute_hosts'] = '10000'; if (empty($pconfig['max_attribute_services_per_host'])) $pconfig['max_attribute_services_per_host'] = '10'; - if (empty($pconfig['max_paf'])) + + if (empty($pconfig['max_paf']) && $pconfig['max_paf'] <> 0) $pconfig['max_paf'] = '16000'; + if (empty($pconfig['ftp_preprocessor'])) $pconfig['ftp_preprocessor'] = 'on'; + if (empty($pconfig['ftp_telnet_inspection_type'])) + $pconfig['ftp_telnet_inspection_type'] = 'stateful'; + if (empty($pconfig['ftp_telnet_alert_encrypted'])) + $pconfig['ftp_telnet_alert_encrypted'] = 'off'; + if (empty($pconfig['ftp_telnet_check_encrypted'])) + $pconfig['ftp_telnet_check_encrypted'] = 'on'; + if (empty($pconfig['ftp_telnet_normalize'])) + $pconfig['ftp_telnet_normalize'] = 'on'; + if (empty($pconfig['ftp_telnet_detect_anomalies'])) + $pconfig['ftp_telnet_detect_anomalies'] = 'on'; + if (empty($pconfig['ftp_telnet_ayt_attack_threshold']) && $pconfig['ftp_telnet_ayt_attack_threshold'] <> 0) + $pconfig['ftp_telnet_ayt_attack_threshold'] = '20'; + if (empty($pconfig['sdf_alert_threshold'])) + $pconfig['sdf_alert_threshold'] = '25'; + if (empty($pconfig['sdf_mask_output'])) + $pconfig['sdf_mask_output'] = 'off'; if (empty($pconfig['smtp_preprocessor'])) $pconfig['smtp_preprocessor'] = 'on'; if (empty($pconfig['dce_rpc_2'])) @@ -156,46 +284,48 @@ if (isset($id) && $a_nat[$id]) { $pconfig['other_preprocs'] = 'on'; if (empty($pconfig['ssh_preproc'])) $pconfig['ssh_preproc'] = 'on'; + + if (empty($pconfig['http_inspect'])) + $pconfig['http_inspect'] = "on"; + if (empty($pconfig['http_inspect_proxy_alert'])) + $pconfig['http_inspect_proxy_alert'] = "off"; if (empty($pconfig['http_inspect_memcap'])) $pconfig['http_inspect_memcap'] = "150994944"; - if (empty($pconfig['frag3_overlap_limit'])) - $pconfig['frag3_overlap_limit'] = '0'; - if (empty($pconfig['frag3_min_frag_len'])) - $pconfig['frag3_min_frag_len'] = '0'; + if (empty($pconfig['http_inspect_max_gzip_mem'])) + $pconfig['http_inspect_max_gzip_mem'] = "838860"; + if (empty($pconfig['frag3_max_frags'])) $pconfig['frag3_max_frags'] = '8192'; - if (empty($pconfig['frag3_policy'])) - $pconfig['frag3_policy'] = 'bsd'; if (empty($pconfig['frag3_memcap'])) $pconfig['frag3_memcap'] = '4194304'; - if (empty($pconfig['frag3_timeout'])) - $pconfig['frag3_timeout'] = '60'; if (empty($pconfig['frag3_detection'])) $pconfig['frag3_detection'] = 'on'; + if (empty($pconfig['stream5_reassembly'])) $pconfig['stream5_reassembly'] = 'on'; + if (empty($pconfig['stream5_flush_on_alert'])) + $pconfig['stream5_flush_on_alert'] = 'off'; + if (empty($pconfig['stream5_prune_log_max']) && $pconfig['stream5_prune_log_max'] <> 0) + $pconfig['stream5_prune_log_max'] = '1048576'; if (empty($pconfig['stream5_track_tcp'])) $pconfig['stream5_track_tcp'] = 'on'; + if (empty($pconfig['stream5_max_tcp'])) + $pconfig['stream5_max_tcp'] = '262144'; if (empty($pconfig['stream5_track_udp'])) $pconfig['stream5_track_udp'] = 'on'; - if (empty($pconfig['stream5_track_icmp'])) - $pconfig['stream5_track_icmp'] = 'off'; - if (empty($pconfig['stream5_require_3whs'])) - $pconfig['stream5_require_3whs'] = 'off'; - if (empty($pconfig['stream5_overlap_limit'])) - $pconfig['stream5_overlap_limit'] = '0'; - if (empty($pconfig['stream5_tcp_timeout'])) - $pconfig['stream5_tcp_timeout'] = '30'; + if (empty($pconfig['stream5_max_udp'])) + $pconfig['stream5_max_udp'] = '131072'; if (empty($pconfig['stream5_udp_timeout'])) $pconfig['stream5_udp_timeout'] = '30'; + if (empty($pconfig['stream5_track_icmp'])) + $pconfig['stream5_track_icmp'] = 'off'; + if (empty($pconfig['stream5_max_icmp'])) + $pconfig['stream5_max_icmp'] = '65536'; if (empty($pconfig['stream5_icmp_timeout'])) $pconfig['stream5_icmp_timeout'] = '30'; - if (empty($pconfig['stream5_no_reassemble_async'])) - $pconfig['stream5_no_reassemble_async'] = 'off'; - if (empty($pconfig['stream5_dont_store_lg_pkts'])) - $pconfig['stream5_dont_store_lg_pkts'] = 'off'; - if (empty($pconfig['stream5_policy'])) - $pconfig['stream5_policy'] = 'bsd'; + if (empty($pconfig['stream5_mem_cap'])) + $pconfig['stream5_mem_cap']= '8388608'; + if (empty($pconfig['pscan_protocol'])) $pconfig['pscan_protocol'] = 'all'; if (empty($pconfig['pscan_type'])) @@ -210,6 +340,34 @@ if (isset($id) && $a_nat[$id]) { $iface = snort_get_friendly_interface($pconfig['interface']); $disabled_rules_log = "{$snortlogdir}/{$iface}_disabled_preproc_rules.log"; +if ($_GET['act'] && isset($_GET['eng_id'])) { + + $natent = array(); + $natent = $pconfig; + + if ($_GET['act'] == "del_frag3") + unset($natent['frag3_engine']['item'][$_GET['eng_id']]); + elseif ($_GET['act'] == "del_stream5_tcp") + unset($natent['stream5_tcp_engine']['item'][$_GET['eng_id']]); + elseif ($_GET['act'] == "del_http_inspect") + unset($natent['http_inspect_engine']['item'][$_GET['eng_id']]); + elseif ($_GET['act'] == "del_ftp_server") + unset($natent['ftp_server_engine']['item'][$_GET['eng_id']]); + + if (isset($id) && $a_nat[$id]) { + $a_nat[$id] = $natent; + write_config(); + } + + header("Location: snort_preprocessors.php?id=$id"); + exit; +} + +// Check for returned "selected alias" if action is import +if ($_GET['act'] == "import" && isset($_GET['varname']) && !empty($_GET['varvalue'])) { + $pconfig[$_GET['varname']] = $_GET['varvalue']; +} + if ($_POST['ResetAll']) { /* Reset all the preprocessor settings to defaults */ @@ -218,32 +376,30 @@ if ($_POST['ResetAll']) { $pconfig['max_attribute_hosts'] = '10000'; $pconfig['max_attribute_services_per_host'] = '10'; $pconfig['max_paf'] = '16000'; - $pconfig['server_flow_depth'] = "300"; - $pconfig['http_server_profile'] = "all"; - $pconfig['client_flow_depth'] = "300"; $pconfig['stream5_reassembly'] = "on"; - $pconfig['stream5_require_3whs'] = "off"; + $pconfig['stream5_flush_on_alert'] = 'off'; + $pconfig['stream5_prune_log_max'] = '1048576'; $pconfig['stream5_track_tcp'] = "on"; + $pconfig['stream5_max_tcp'] = "262144"; $pconfig['stream5_track_udp'] = "on"; + $pconfig['stream5_max_udp'] = "131072"; $pconfig['stream5_track_icmp'] = "off"; - $pconfig['max_queued_bytes'] = "1048576"; - $pconfig['max_queued_segs'] = "2621"; - $pconfig['stream5_overlap_limit'] = "0"; - $pconfig['stream5_policy'] = "bsd"; + $pconfig['stream5_max_icmp'] = "65536"; $pconfig['stream5_mem_cap'] = "8388608"; - $pconfig['stream5_tcp_timeout'] = "30"; $pconfig['stream5_udp_timeout'] = "30"; $pconfig['stream5_icmp_timeout'] = "30"; - $pconfig['stream5_no_reassemble_async'] = "off"; - $pconfig['stream5_dont_store_lg_pkts'] = "off"; $pconfig['http_inspect'] = "on"; - $pconfig['http_inspect_enable_xff'] = "off"; - $pconfig['http_inspect_log_uri'] = "off"; - $pconfig['http_inspect_log_hostname'] = "off"; - $pconfig['noalert_http_inspect'] = "on"; + $pconfig['http_inspect_proxy_alert'] = "off"; $pconfig['http_inspect_memcap'] = "150994944"; + $pconfig['http_inspect_max_gzip_mem'] = "838860"; $pconfig['other_preprocs'] = "on"; $pconfig['ftp_preprocessor'] = "on"; + $pconfig['ftp_telnet_inspection_type'] = "stateful"; + $pconfig['ftp_telnet_alert_encrypted'] = "off"; + $pconfig['ftp_telnet_check_encrypted'] = "on"; + $pconfig['ftp_telnet_normalize'] = "on"; + $pconfig['ftp_telnet_detect_anomalies'] = "on"; + $pconfig['ftp_telnet_ayt_attack_threshold'] = "20"; $pconfig['smtp_preprocessor'] = "on"; $pconfig['sf_portscan'] = "off"; $pconfig['pscan_protocol'] = "all"; @@ -254,6 +410,8 @@ if ($_POST['ResetAll']) { $pconfig['dce_rpc_2'] = "on"; $pconfig['dns_preprocessor'] = "on"; $pconfig['sensitive_data'] = "off"; + $pconfig['sdf_alert_threshold'] = "25"; + $pconfig['sdf_mask_output'] = "off"; $pconfig['ssl_preproc'] = "on"; $pconfig['pop_preproc'] = "on"; $pconfig['imap_preproc'] = "on"; @@ -265,22 +423,21 @@ if ($_POST['ResetAll']) { $pconfig['preproc_auto_rule_disable'] = "off"; $pconfig['protect_preproc_rules'] = "off"; $pconfig['frag3_detection'] = "on"; - $pconfig['frag3_overlap_limit'] = "0"; - $pconfig['frag3_min_frag_len'] = "0"; - $pconfig['frag3_policy'] = "bsd"; $pconfig['frag3_max_frags'] = "8192"; $pconfig['frag3_memcap'] = "4194304"; - $pconfig['frag3_timeout'] = "60"; /* Log a message at the top of the page to inform the user */ - $savemsg = "All preprocessor settings have been reset to the defaults."; + $savemsg = gettext("All preprocessor settings have been reset to their defaults."); } elseif ($_POST['Submit']) { $natent = array(); $natent = $pconfig; - if ($_POST['pscan_ignore_scanners'] && !is_alias($_POST['pscan_ignore_scanners'])) - $input_errors[] = "Only aliases are allowed for the Portscan IGNORE_SCANNERS option."; + // Validate SDF alert threshold if value if enabled + if ($_POST['sensitive_data'] == 'on') { + if ($_POST['sdf_alert_threshold'] < 1 || $_POST['sdf_alert_threshold'] > 4294067295) + $input_errors[] = gettext("The value for Sensitive_Data_Alert_Threshold must be between 1 and 4,294,067,295."); + } /* if no errors write to conf */ if (!$input_errors) { @@ -288,48 +445,42 @@ elseif ($_POST['Submit']) { if ($_POST['max_attribute_hosts'] != "") { $natent['max_attribute_hosts'] = $_POST['max_attribute_hosts']; }else{ $natent['max_attribute_hosts'] = "10000"; } if ($_POST['max_attribute_services_per_host'] != "") { $natent['max_attribute_services_per_host'] = $_POST['max_attribute_services_per_host']; }else{ $natent['max_attribute_services_per_host'] = "10"; } if ($_POST['max_paf'] != "") { $natent['max_paf'] = $_POST['max_paf']; }else{ $natent['max_paf'] = "16000"; } - if ($_POST['server_flow_depth'] != "") { $natent['server_flow_depth'] = $_POST['server_flow_depth']; }else{ $natent['server_flow_depth'] = "300"; } - if ($_POST['http_server_profile'] != "") { $natent['http_server_profile'] = $_POST['http_server_profile']; }else{ $natent['http_server_profile'] = "all"; } - if ($_POST['client_flow_depth'] != "") { $natent['client_flow_depth'] = $_POST['client_flow_depth']; }else{ $natent['client_flow_depth'] = "300"; } if ($_POST['http_inspect_memcap'] != "") { $natent['http_inspect_memcap'] = $_POST['http_inspect_memcap']; }else{ $natent['http_inspect_memcap'] = "150994944"; } - if ($_POST['stream5_overlap_limit'] != "") { $natent['stream5_overlap_limit'] = $_POST['stream5_overlap_limit']; }else{ $natent['stream5_overlap_limit'] = "0"; } - if ($_POST['stream5_policy'] != "") { $natent['stream5_policy'] = $_POST['stream5_policy']; }else{ $natent['stream5_policy'] = "bsd"; } + if ($_POST['http_inspect_max_gzip_mem'] != "") { $natent['http_inspect_max_gzip_mem'] = $_POST['http_inspect_max_gzip_mem']; }else{ $natent['http_inspect_max_gzip_mem'] = "838860"; } if ($_POST['stream5_mem_cap'] != "") { $natent['stream5_mem_cap'] = $_POST['stream5_mem_cap']; }else{ $natent['stream5_mem_cap'] = "8388608"; } - if ($_POST['stream5_tcp_timeout'] != "") { $natent['stream5_tcp_timeout'] = $_POST['stream5_tcp_timeout']; }else{ $natent['stream5_tcp_timeout'] = "30"; } + if ($_POST['stream5_prune_log_max'] != "") { $natent['stream5_prune_log_max'] = $_POST['stream5_prune_log_max']; }else{ $natent['stream5_prune_log_max'] = "1048576"; } if ($_POST['stream5_udp_timeout'] != "") { $natent['stream5_udp_timeout'] = $_POST['stream5_udp_timeout']; }else{ $natent['stream5_udp_timeout'] = "30"; } if ($_POST['stream5_icmp_timeout'] != "") { $natent['stream5_icmp_timeout'] = $_POST['stream5_icmp_timeout']; }else{ $natent['stream5_icmp_timeout'] = "30"; } - if ($_POST['max_queued_bytes'] != "") { $natent['max_queued_bytes'] = $_POST['max_queued_bytes']; }else{ $natent['max_queued_bytes'] = "1048576"; } - if ($_POST['max_queued_segs'] != "") { $natent['max_queued_segs'] = $_POST['max_queued_segs']; }else{ $natent['max_queued_segs'] = "2621"; } + if ($_POST['stream5_max_tcp'] != "") { $natent['stream5_max_tcp'] = $_POST['stream5_max_tcp']; }else{ $natent['stream5_max_tcp'] = "262144"; } + if ($_POST['stream5_max_udp'] != "") { $natent['stream5_max_udp'] = $_POST['stream5_max_udp']; }else{ $natent['stream5_max_udp'] = "131072"; } + if ($_POST['stream5_max_icmp'] != "") { $natent['stream5_max_icmp'] = $_POST['stream5_max_icmp']; }else{ $natent['stream5_max_icmp'] = "65536"; } if ($_POST['pscan_protocol'] != "") { $natent['pscan_protocol'] = $_POST['pscan_protocol']; }else{ $natent['pscan_protocol'] = "all"; } if ($_POST['pscan_type'] != "") { $natent['pscan_type'] = $_POST['pscan_type']; }else{ $natent['pscan_type'] = "all"; } if ($_POST['pscan_memcap'] != "") { $natent['pscan_memcap'] = $_POST['pscan_memcap']; }else{ $natent['pscan_memcap'] = "10000000"; } if ($_POST['pscan_sense_level'] != "") { $natent['pscan_sense_level'] = $_POST['pscan_sense_level']; }else{ $natent['pscan_sense_level'] = "medium"; } - if ($_POST['frag3_overlap_limit'] != "") { $natent['frag3_overlap_limit'] = $_POST['frag3_overlap_limit']; }else{ $natent['frag3_overlap_limit'] = "0"; } - if ($_POST['frag3_min_frag_len'] != "") { $natent['frag3_min_frag_len'] = $_POST['frag3_min_frag_len']; }else{ $natent['frag3_min_frag_len'] = "0"; } - if ($_POST['frag3_policy'] != "") { $natent['frag3_policy'] = $_POST['frag3_policy']; }else{ $natent['frag3_policy'] = "bsd"; } + if ($_POST['pscan_ignore_scanners'] != "") { $natent['pscan_ignore_scanners'] = $_POST['pscan_ignore_scanners']; }else{ $natent['pscan_ignore_scanners'] = ""; } if ($_POST['frag3_max_frags'] != "") { $natent['frag3_max_frags'] = $_POST['frag3_max_frags']; }else{ $natent['frag3_max_frags'] = "8192"; } if ($_POST['frag3_memcap'] != "") { $natent['frag3_memcap'] = $_POST['frag3_memcap']; }else{ $natent['frag3_memcap'] = "4194304"; } - if ($_POST['frag3_timeout'] != "") { $natent['frag3_timeout'] = $_POST['frag3_timeout']; }else{ $natent['frag3_timeout'] = "60"; } - - if ($_POST['pscan_ignore_scanners']) - $natent['pscan_ignore_scanners'] = $_POST['pscan_ignore_scanners']; - else - unset($natent['pscan_ignore_scanners']); + if ($_POST['ftp_telnet_inspection_type'] != "") { $natent['ftp_telnet_inspection_type'] = $_POST['ftp_telnet_inspection_type']; }else{ $natent['ftp_telnet_inspection_type'] = "stateful"; } + if ($_POST['ftp_telnet_ayt_attack_threshold'] != "") { $natent['ftp_telnet_ayt_attack_threshold'] = $_POST['ftp_telnet_ayt_attack_threshold']; }else{ $natent['ftp_telnet_ayt_attack_threshold'] = "20"; } + if ($_POST['sdf_alert_threshold'] != "") { $natent['sdf_alert_threshold'] = $_POST['sdf_alert_threshold']; }else{ $natent['sdf_alert_threshold'] = "25"; } $natent['perform_stat'] = $_POST['perform_stat'] ? 'on' : 'off'; $natent['host_attribute_table'] = $_POST['host_attribute_table'] ? 'on' : 'off'; $natent['http_inspect'] = $_POST['http_inspect'] ? 'on' : 'off'; - $natent['http_inspect_enable_xff'] = $_POST['http_inspect_enable_xff'] ? 'on' : 'off'; - $natent['http_inspect_log_uri'] = $_POST['http_inspect_log_uri'] ? 'on' : 'off'; - $natent['http_inspect_log_hostname'] = $_POST['http_inspect_log_hostname'] ? 'on' : 'off'; - $natent['noalert_http_inspect'] = $_POST['noalert_http_inspect'] ? 'on' : 'off'; + $natent['http_inspect_proxy_alert'] = $_POST['http_inspect_proxy_alert'] ? 'on' : 'off'; $natent['other_preprocs'] = $_POST['other_preprocs'] ? 'on' : 'off'; $natent['ftp_preprocessor'] = $_POST['ftp_preprocessor'] ? 'on' : 'off'; + $natent['ftp_telnet_alert_encrypted'] = $_POST['ftp_telnet_alert_encrypted'] ? 'on' : 'off'; + $natent['ftp_telnet_check_encrypted'] = $_POST['ftp_telnet_check_encrypted'] ? 'on' : 'off'; + $natent['ftp_telnet_normalize'] = $_POST['ftp_telnet_normalize'] ? 'on' : 'off'; + $natent['ftp_telnet_detect_anomalies'] = $_POST['ftp_telnet_detect_anomalies'] ? 'on' : 'off'; $natent['smtp_preprocessor'] = $_POST['smtp_preprocessor'] ? 'on' : 'off'; $natent['sf_portscan'] = $_POST['sf_portscan'] ? 'on' : 'off'; $natent['dce_rpc_2'] = $_POST['dce_rpc_2'] ? 'on' : 'off'; $natent['dns_preprocessor'] = $_POST['dns_preprocessor'] ? 'on' : 'off'; $natent['sensitive_data'] = $_POST['sensitive_data'] ? 'on' : 'off'; + $natent['sdf_mask_output'] = $_POST['sdf_mask_output'] ? 'on' : 'off'; $natent['ssl_preproc'] = $_POST['ssl_preproc'] ? 'on' : 'off'; $natent['pop_preproc'] = $_POST['pop_preproc'] ? 'on' : 'off'; $natent['imap_preproc'] = $_POST['imap_preproc'] ? 'on' : 'off'; @@ -343,28 +494,20 @@ elseif ($_POST['Submit']) { $natent['protect_preproc_rules'] = $_POST['protect_preproc_rules'] ? 'on' : 'off'; $natent['frag3_detection'] = $_POST['frag3_detection'] ? 'on' : 'off'; $natent['stream5_reassembly'] = $_POST['stream5_reassembly'] ? 'on' : 'off'; + $natent['stream5_flush_on_alert'] = $_POST['stream5_flush_on_alert'] ? 'on' : 'off'; $natent['stream5_track_tcp'] = $_POST['stream5_track_tcp'] ? 'on' : 'off'; $natent['stream5_track_udp'] = $_POST['stream5_track_udp'] ? 'on' : 'off'; $natent['stream5_track_icmp'] = $_POST['stream5_track_icmp'] ? 'on' : 'off'; - $natent['stream5_require_3whs'] = $_POST['stream5_require_3whs'] ? 'on' : 'off'; - $natent['stream5_no_reassemble_async'] = $_POST['stream5_no_reassemble_async'] ? 'on' : 'off'; - $natent['stream5_dont_store_lg_pkts'] = $_POST['stream5_dont_store_lg_pkts'] ? 'on' : 'off'; /* If 'preproc_auto_rule_disable' is off, then clear log file */ if ($natent['preproc_auto_rule_disable'] == 'off') @unlink("{$disabled_rules_log}"); - if (isset($id) && $a_nat[$id]) + if (isset($id) && $a_nat[$id]) { $a_nat[$id] = $natent; - else { - if (is_numeric($after)) - array_splice($a_nat, $after+1, 0, array($natent)); - else - $a_nat[] = $natent; + write_config(); } - write_config(); - /* Set flag to rebuild rules for this interface */ $rebuild_rules = true; @@ -436,7 +579,7 @@ if ($pconfig['host_attribute_table'] == 'on' && empty($pconfig['host_attribute_d $input_errors[] = gettext("The Host Attribute Table option is enabled, but no Host Attribute data has been loaded. Data may be entered manually or imported from a suitable file."); $if_friendly = snort_get_friendly_interface($pconfig['interface']); -$pgtitle = "Snort: Interface {$if_friendly}: Preprocessors and Flow"; +$pgtitle = gettext("Snort: Interface {$if_friendly} - Preprocessors and Flow"); include_once("head.inc"); ?> @@ -546,7 +689,7 @@ include_once("head.inc"); 0): ?>   - +     @@ -554,7 +697,7 @@ include_once("head.inc"); - + @@ -564,13 +707,11 @@ include_once("head.inc"); . - +
- "on") echo "disabled"; ?>>   - "on") echo "disabled"; ?>>
+    +


@@ -580,9 +721,8 @@ include_once("head.inc");

- " - class="formbtn" - "on") echo "disabled"; ?>>   + " class="formbtn">   - + - @@ -608,14 +747,13 @@ include_once("head.inc"); "Default is ") . "" . gettext("10000") . ""; ?>.
- + - +
"on") echo "disabled"; ?>>   +    " . gettext("32") . "" . gettext(" and Max is ") . "" . gettext("524288") . ""; ?>.
- @@ -627,250 +765,185 @@ include_once("head.inc"); - + - - + + - - - - - - - - - - - - - - + + + + + + - - + + - - - - - - + + - - - - - - - + + - + + "" . gettext("Checked") . ".";?> - - - + + - - - + + - - - - - - - - - - + + - - - - - - + + @@ -879,182 +952,155 @@ include_once("head.inc"); " . gettext("Checked") . ""; ?>. - + + + + + + + + + - - - - - - - - - - - - - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - - - - + @@ -1064,7 +1110,7 @@ include_once("head.inc"); " . gettext("Not Checked") . ""; ?>. - + - +
"on") echo "disabled"; ?>>   +    " . gettext("1") . "" . gettext(" and Max is ") . "" . gettext("65535") . ""; ?>.
- - - - -
   - " . gettext("0") . "" . gettext(" (off) and Max is ") . "" . - gettext("63780") . ""; ?>.
- " . gettext("16000") . ". " . gettext("A value of 0 disables Protocol Aware Flushing."); ?>.
+   + " . gettext("0") . "" . gettext(" (off) and Max is ") . "" . + gettext("63780") . ""; ?>.

+ " . gettext("16000") . ". " . gettext("A value of 0 disables Protocol Aware Flushing."); ?>.
> - + > + .
> - - .
> - - .
> - - .
> + + .

+ " . gettext("By adding Server Configurations below and enabling " . + "the 'allow_proxy_use' parameter within them, alerts will be generated for web users that aren't using the configured " . + "proxies or are using a rogue proxy server.") . "

" . gettext("Warning: ") . + "" . gettext("If users are not required to configure web proxy use, you may get a lot " . + "of proxy alerts. Only use this feature with traditional proxy environments. Blind firewall proxies don't count!");?> +
- - - - -
   - " . gettext("2304") . "" . gettext(" and Max is ") . "" . - gettext("603979776") . "" . gettext(" (576 MB)"); ?>.
- " . gettext("150,994,944") . "" . gettext(" (144 MB)."); ?> - .
+   + " . gettext("2304") . "" . gettext(" and the Maximum is ") . "" . + gettext("603979776") . "" . gettext(" (576 MB)"); ?>.

+ " . gettext("150,994,944") . "" . gettext(" (144 MB)."); ?> + .
- - - - -
  -1 " . - "to 65535 (-1 disables HTTP " . - "inspect, 0 enables all HTTP inspect)"); ?>
-
- 300"); ?>
-
-   " . gettext("All") . ""; ?>
-
+   + " . gettext("3276") . "";?>.

+ " . gettext("838860") . "" . gettext(" bytes.");?> +
- - - - -
-1 " . - "to 1460 (-1 disables HTTP " . - "inspect, 0 enables all HTTP inspect)"); ?>
-
- 300"); ?>
+ + + + + + + + + + + + + + $v): ?> + + + + + + +
+ "> + + ">
+ "> + "all") : ?> + + "> + + "> + +
- onClick="enable_change(false);"> - .
- onClick="enable_change(false)"> + > " . gettext("Checked") . ""; ?>.
- - - - -
- .
+
+
" . gettext("4MB") . ""; ?>.
+ "" . gettext("4MB") . "."; ?>
- - - - -
-
+
+ .
8192."; ?>
-
- - - - -
- 0" . gettext(" (unlimited), values greater than zero set the overlapped fragments per packet limit."); ?>
- 0" . gettext(" (unlimited)."); ?>
+ "8192.";?>
- - - - -
- 0" . gettext(" (check is disabled). Fragments smaller than or equal to this limit are considered malicious."); ?>
- 0" . gettext(" (check is disabled)."); ?>
-
- - - - -
-
- " . gettext("60 ") . "" . gettext("seconds."); ?>
-
-   " . gettext("BSD") . ""; ?>.
-
+ + + + + + + + + + + + + + $v): ?> + + + + + + +
+ "> + + ">
+ "> + "all") : ?> + + "> + + "> + +
> + " . gettext("Not Checked") . "
" . + gettext("Note: ") . "" . gettext("This parameter is for backwards compatibility.");?>
+ + 0" . gettext(" (disabled), or if not disabled, ") . + "1024" . gettext(". Maximum is ") . "" . gettext("1073741824") . "";?>. + 1048576" . gettext(" bytes."); ?>
+
> + onclick="stream5_track_tcp_enable_change();"> " . gettext("Checked") . "."; ?>
> + onclick="stream5_track_udp_enable_change();"> " . gettext("Checked") . "."; ?>
> + onclick="stream5_track_icmp_enable_change();"> " . gettext("Not Checked") . "."; ?>
> - " . gettext("Not Checked") . ""; ?>.
> - " . gettext("Not Checked") . ""; ?>.
- > - " . gettext("Not Checked") . ""; ?>.
- " . gettext("Warning: ") . "" . - gettext("Enabling this option could result in missed packets. Recommended setting is not checked."); ?>
- - - - -
- 1024, Maximum is 1073741824 " . - "( default value is 1048576, 0 " . - "means Maximum )"); ?>.
- 1048576"); ?>.
+ + 1" . gettext(" and Max is ") . + "" . gettext("1048576") . ".";?>
+ " . gettext("131072") . "."; ?>
- - - - -
- 2, Maximum is 1073741824 " . - "( default value is 2621, 0 means " . - "Maximum )"); ?>.
- 2621"); ?>.
+ + 1" . gettext(" and Max is ") . + "" . gettext("86400") . "" . gettext(" (1 day).");?>
+ " . gettext("30") . "" . gettext(" seconds."); ?>
- - - - -
- 32768, Maximum is 1073741824 " . - "( default value is 8388608) "); ?>.
- 8388608 (8 MB)"); ?>.
+ + 1" . gettext(" and Max is ") . + "" . gettext("1048576") . ".";?>
+ " . gettext("65536") . "."; ?>
- - - - -
- 0" . gettext(" (unlimited), and the maximum is ") . - "255."; ?>
- 0" . gettext(" (unlimited)."); ?>
+ + 1" . gettext(" and Max is ") . + "86400" . gettext(" (1 day).");?>
+ " . gettext("30") . "" . gettext(" seconds."); ?>
- - - - -
- 1" . gettext(" and the maximum is ") . - "86400" . gettext(" (approximately 1 day)"); ?>.
- 30" . gettext(" seconds."); ?>
+ + 1" . gettext(" and Max is ") . + "" . gettext("1048576") . ".";?>
+ " . gettext("262144") . "."; ?>
- - - - -
- 1" . gettext(" and the maximum is ") . - "86400" . gettext(" (approximately 1 day)"); ?>.
- 30" . gettext(" seconds."); ?>
+ + " . gettext("32768") . "" . + gettext(" and Max is ") . "" . gettext("1073741824") . "" . + gettext(" bytes.");?>
+ " . gettext("8388608") . "" . gettext(" (8 MB)"); ?>.
- - - - -
- 1" . gettext(" and the maximum is ") . - "86400" . gettext(" (approximately 1 day)"); ?>.
- 30" . gettext(" seconds."); ?>
-
-   " . gettext("BSD") . ""; ?>.
-
+ + + + + + + + + + + + + + $v): ?> + + + + + + +
+ "> + + ">
+ "> + "all") : ?> + + "> + + "> + +
- + - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - + @@ -1177,13 +1422,6 @@ include_once("head.inc"); " . gettext("Checked") . ""; ?>. - - - - @@ -1235,7 +1473,7 @@ include_once("head.inc"); @@ -1247,21 +1485,7 @@ include_once("head.inc"); "" . gettext("Checked") . ""; ?>. - - - - - + @@ -1315,6 +1539,7 @@ include_once("head.inc"); if(isset($config['aliases']['alias']) && is_array($config['aliases']['alias'])) foreach($config['aliases']['alias'] as $alias_name) { if ($alias_name['type'] == "host" || $alias_name['type'] == "network") { + // Skip any Aliases that resolve to an empty string if (trim(filter_expand_alias($alias_name['name'])) == "") continue; if($addrisfirst == 1) $aliasesaddr .= ","; @@ -1334,6 +1559,8 @@ include_once("head.inc"); function createAutoSuggest() { } @@ -1350,41 +1577,125 @@ function frag3_enable_change() { } } var endis = !(document.iform.frag3_detection.checked); - document.iform.frag3_overlap_limit.disabled=endis; - document.iform.frag3_min_frag_len.disabled=endis; - document.iform.frag3_policy.disabled=endis; - document.iform.frag3_max_frags.disabled=endis; - document.iform.frag3_memcap.disabled=endis; - document.iform.frag3_timeout.disabled=endis; + + // Hide the "config engines" table if Frag3 disabled + if (endis) { + document.getElementById("frag3_engconf_row").style.display="none"; + document.getElementById("frag3_memcap_row").style.display="none"; + document.getElementById("frag3_maxfrags_row").style.display="none"; + } + else { + document.getElementById("frag3_engconf_row").style.display="table-row"; + document.getElementById("frag3_memcap_row").style.display="table-row"; + document.getElementById("frag3_maxfrags_row").style.display="table-row"; + } } function host_attribute_table_enable_change() { var endis = !(document.iform.host_attribute_table.checked); - document.iform.host_attribute_file.disabled=endis; - document.iform.btn_import.disabled=endis; - document.iform.btn_edit_hat.disabled=endis; - document.iform.max_attribute_hosts.disabled=endis; - document.iform.max_attribute_services_per_host.disabled=endis; + + // Hide "Host Attribute Table" config rows if HAT disabled + if (endis) { + document.getElementById("host_attrib_table_data_row").style.display="none"; + document.getElementById("host_attrib_table_maxhosts_row").style.display="none"; + document.getElementById("host_attrib_table_maxsvcs_row").style.display="none"; + } + else { + document.getElementById("host_attrib_table_data_row").style.display="table-row"; + document.getElementById("host_attrib_table_maxhosts_row").style.display="table-row"; + document.getElementById("host_attrib_table_maxsvcs_row").style.display="table-row"; + } +} + +function stream5_track_tcp_enable_change() { + var endis = !(document.iform.stream5_track_tcp.checked); + + // Hide the "tcp_memcap and tcp_engconf" rows if stream5_track_tcp disabled + if (endis) { + document.getElementById("stream5_maxtcp_row").style.display="none"; + document.getElementById("stream5_tcp_memcap_row").style.display="none"; + document.getElementById("stream5_tcp_engconf_row").style.display="none"; + } + else { + document.getElementById("stream5_maxtcp_row").style.display="table-row"; + document.getElementById("stream5_tcp_memcap_row").style.display="table-row"; + document.getElementById("stream5_tcp_engconf_row").style.display="table-row"; + } +} + +function stream5_track_udp_enable_change() { + var endis = !(document.iform.stream5_track_udp.checked); + + // Hide the "udp session timeout " row if stream5_track_udp disabled + if (endis) { + var msg = "WARNING: Stream5 UDP tracking is required by the Session Initiation Protocol (SIP) preprocessor! "; + msg = msg + "The SIP preprocessor will be automatically disabled if Stream5 UDP tracking is disabled.\n\n"; + msg = msg + "Snort may fail to start because of rule options dependent on the SIP preprocessor. "; + msg = msg + "Are you sure you want to disable Stream5 UDP tracking?\n\n"; + msg = msg + "Click OK to disable Stream5 UDP tracking, or CANCEL to quit."; + if (!confirm(msg)) + return; + document.iform.sip_preproc.checked=false; + document.getElementById("stream5_maxudp_row").style.display="none"; + document.getElementById("stream5_udp_sess_timeout_row").style.display="none"; + } + else { + document.getElementById("stream5_maxudp_row").style.display="table-row"; + document.getElementById("stream5_udp_sess_timeout_row").style.display="table-row"; + } +} + +function stream5_track_icmp_enable_change() { + var endis = !(document.iform.stream5_track_icmp.checked); + + // Hide the "icmp session timeout " row if stream5_track_icmp disabled + if (endis) { + document.getElementById("stream5_maxicmp_row").style.display="none"; + document.getElementById("stream5_icmp_sess_timeout_row").style.display="none"; + } + else { + document.getElementById("stream5_maxicmp_row").style.display="table-row"; + document.getElementById("stream5_icmp_sess_timeout_row").style.display="table-row"; + } } function http_inspect_enable_change() { var endis = !(document.iform.http_inspect.checked); - document.iform.http_inspect_enable_xff.disabled=endis; - document.iform.server_flow_depth.disabled=endis; - document.iform.client_flow_depth.disabled=endis; - document.iform.http_server_profile.disabled=endis; document.iform.http_inspect_memcap.disabled=endis; - document.iform.http_inspect_log_uri.disabled=endis; - document.iform.http_inspect_log_hostname.disabled=endis; + + // Hide the "icmp session timeout " row if stream5_track_icmp disabled + if (endis) { + document.getElementById("httpinspect_memcap_row").style.display="none"; + document.getElementById("httpinspect_maxgzipmem_row").style.display="none"; + document.getElementById("httpinspect_proxyalert_row").style.display="none"; + document.getElementById("httpinspect_engconf_row").style.display="none"; + } + else { + document.getElementById("httpinspect_memcap_row").style.display="table-row"; + document.getElementById("httpinspect_maxgzipmem_row").style.display="table-row"; + document.getElementById("httpinspect_proxyalert_row").style.display="table-row"; + document.getElementById("httpinspect_engconf_row").style.display="table-row"; + } } function sf_portscan_enable_change() { var endis = !(document.iform.sf_portscan.checked); - document.iform.pscan_protocol.disabled=endis; - document.iform.pscan_type.disabled=endis; - document.iform.pscan_memcap.disabled=endis; - document.iform.pscan_sense_level.disabled=endis; - document.iform.pscan_ignore_scanners.disabled=endis; + + // Hide the portscan configuration rows if sf_portscan disabled + if (endis) { + document.getElementById("portscan_protocol_row").style.display="none"; + document.getElementById("portscan_type_row").style.display="none"; + document.getElementById("portscan_sensitivity_row").style.display="none"; + document.getElementById("portscan_memcap_row").style.display="none"; + document.getElementById("portscan_ignorescanners_row").style.display="none"; + } + else { + document.getElementById("portscan_protocol_row").style.display="table-row"; + document.getElementById("portscan_type_row").style.display="table-row"; + document.getElementById("portscan_sensitivity_row").style.display="table-row"; + document.getElementById("portscan_memcap_row").style.display="table-row"; + document.getElementById("portscan_ignorescanners_row").style.display="table-row"; + } } function stream5_enable_change() { @@ -1419,43 +1730,126 @@ function stream5_enable_change() { } var endis = !(document.iform.stream5_reassembly.checked); - document.iform.max_queued_bytes.disabled=endis; - document.iform.max_queued_segs.disabled=endis; - document.iform.stream5_mem_cap.disabled=endis; - document.iform.stream5_policy.disabled=endis; - document.iform.stream5_overlap_limit.disabled=endis; - document.iform.stream5_no_reassemble_async.disabled=endis; - document.iform.stream5_dont_store_lg_pkts.disabled=endis; - document.iform.stream5_tcp_timeout.disabled=endis; - document.iform.stream5_udp_timeout.disabled=endis; - document.iform.stream5_icmp_timeout.disabled=endis; + + // Hide the "stream5 conf" rows if stream5 disabled + if (endis) { + document.getElementById("stream5_tcp_memcap_row").style.display="none"; + document.getElementById("stream5_tcp_engconf_row").style.display="none"; + document.getElementById("stream5_udp_sess_timeout_row").style.display="none"; + document.getElementById("stream5_icmp_sess_timeout_row").style.display="none"; + document.getElementById("stream5_proto_tracking_row").style.display="none"; + document.getElementById("stream5_flushonalert_row").style.display="none"; + document.getElementById("stream5_prunelogmax_row").style.display="none"; + } + else { + document.getElementById("stream5_tcp_memcap_row").style.display="table-row"; + document.getElementById("stream5_tcp_engconf_row").style.display="table-row"; + document.getElementById("stream5_udp_sess_timeout_row").style.display="table-row"; + document.getElementById("stream5_icmp_sess_timeout_row").style.display="table-row"; + document.getElementById("stream5_proto_tracking_row").style.display="table-row"; + document.getElementById("stream5_flushonalert_row").style.display="table-row"; + document.getElementById("stream5_prunelogmax_row").style.display="table-row"; + } +} + +function ftp_telnet_enable_change() { + var endis = !(document.iform.ftp_preprocessor.checked); + + // Hide the ftp_telnet configuration rows if ftp_telnet disabled + if (endis) { + document.getElementById("ftp_telnet_row_type").style.display="none"; + document.getElementById("ftp_telnet_row_encrypted_alert").style.display="none"; + document.getElementById("ftp_telnet_row_encrypted_check").style.display="none"; + document.getElementById("ftp_telnet_row_telnet_proto_opts").style.display="none"; + document.getElementById("ftp_telnet_row_normalize").style.display="none"; + document.getElementById("ftp_telnet_row_detect_anomalies").style.display="none"; + document.getElementById("ftp_telnet_row_ayt_threshold").style.display="none"; + document.getElementById("ftp_telnet_row_ftp_proto_opts").style.display="none"; + document.getElementById("ftp_telnet_ftp_client_row").style.display="none"; + document.getElementById("ftp_telnet_ftp_server_row").style.display="none"; + } + else { + document.getElementById("ftp_telnet_row_type").style.display="table-row"; + document.getElementById("ftp_telnet_row_encrypted_alert").style.display="table-row"; + document.getElementById("ftp_telnet_row_encrypted_check").style.display="table-row"; + document.getElementById("ftp_telnet_row_telnet_proto_opts").style.display="table-row"; + document.getElementById("ftp_telnet_row_normalize").style.display="table-row"; + document.getElementById("ftp_telnet_row_detect_anomalies").style.display="table-row"; + document.getElementById("ftp_telnet_row_ayt_threshold").style.display="table-row"; + document.getElementById("ftp_telnet_row_ftp_proto_opts").style.display="table-row"; + document.getElementById("ftp_telnet_ftp_client_row").style.display="table-row"; + document.getElementById("ftp_telnet_ftp_server_row").style.display="table-row"; + } +} + +function sensitive_data_enable_change() { + var endis = !(document.iform.sensitive_data.checked); + + // Hide the sensitive_data configuration rows if sensitive_data disabled + if (endis) { + document.getElementById("sdf_alert_threshold_row").style.display="none"; + document.getElementById("sdf_mask_output_row").style.display="none"; + } + else { + document.getElementById("sdf_alert_threshold_row").style.display="table-row"; + document.getElementById("sdf_mask_output_row").style.display="table-row"; + } } function enable_change_all() { http_inspect_enable_change(); sf_portscan_enable_change(); - // Enable/Disable Frag3 settings + // -- Enable/Disable Host Attribute Table settings -- + host_attribute_table_enable_change(); + + // -- Enable/Disable Frag3 settings -- var endis = !(document.iform.frag3_detection.checked); - document.iform.frag3_overlap_limit.disabled=endis; - document.iform.frag3_min_frag_len.disabled=endis; - document.iform.frag3_policy.disabled=endis; - document.iform.frag3_max_frags.disabled=endis; - document.iform.frag3_memcap.disabled=endis; - document.iform.frag3_timeout.disabled=endis; - - // Enable/Disable Stream5 settings + // Hide the "config engines" table if Frag3 disabled + if (endis) { + document.getElementById("frag3_engconf_row").style.display="none"; + document.getElementById("frag3_memcap_row").style.display="none"; + document.getElementById("frag3_maxfrags_row").style.display="none"; + } + else { + document.getElementById("frag3_engconf_row").style.display="table-row"; + document.getElementById("frag3_memcap_row").style.display="table-row"; + document.getElementById("frag3_maxfrags_row").style.display="table-row"; + } + + // -- Enable/Disable Stream5 settings -- endis = !(document.iform.stream5_reassembly.checked); - document.iform.max_queued_bytes.disabled=endis; - document.iform.max_queued_segs.disabled=endis; - document.iform.stream5_mem_cap.disabled=endis; - document.iform.stream5_policy.disabled=endis; - document.iform.stream5_overlap_limit.disabled=endis; - document.iform.stream5_no_reassemble_async.disabled=endis; - document.iform.stream5_dont_store_lg_pkts.disabled=endis; - document.iform.stream5_tcp_timeout.disabled=endis; - document.iform.stream5_udp_timeout.disabled=endis; - document.iform.stream5_icmp_timeout.disabled=endis; + // Hide the "stream5 conf" rows if stream5 disabled + if (endis) { + document.getElementById("stream5_tcp_memcap_row").style.display="none"; + document.getElementById("stream5_tcp_engconf_row").style.display="none"; + document.getElementById("stream5_udp_sess_timeout_row").style.display="none"; + document.getElementById("stream5_icmp_sess_timeout_row").style.display="none"; + document.getElementById("stream5_proto_tracking_row").style.display="none"; + document.getElementById("stream5_flushonalert_row").style.display="none"; + document.getElementById("stream5_prunelogmax_row").style.display="none"; + document.getElementById("stream5_maxtcp_row").style.display="none"; + document.getElementById("stream5_maxudp_row").style.display="none"; + document.getElementById("stream5_maxicmp_row").style.display="none"; + } + else { + document.getElementById("stream5_tcp_memcap_row").style.display="table-row"; + document.getElementById("stream5_tcp_engconf_row").style.display="table-row"; + document.getElementById("stream5_udp_sess_timeout_row").style.display="table-row"; + document.getElementById("stream5_icmp_sess_timeout_row").style.display="table-row"; + document.getElementById("stream5_proto_tracking_row").style.display="table-row"; + document.getElementById("stream5_flushonalert_row").style.display="table-row"; + document.getElementById("stream5_prunelogmax_row").style.display="table-row"; + document.getElementById("stream5_maxtcp_row").style.display="table-row"; + document.getElementById("stream5_maxudp_row").style.display="table-row"; + document.getElementById("stream5_maxicmp_row").style.display="table-row"; + } + // Set other stream5 initial conditions + stream5_track_tcp_enable_change(); + stream5_track_udp_enable_change(); + stream5_track_icmp_enable_change(); + ftp_telnet_enable_change(); + sensitive_data_enable_change(); } function wopen(url, name, w, h) diff --git a/config/snort/snort_rules.php b/config/snort/snort_rules.php index c9852597..48d26d1d 100755 --- a/config/snort/snort_rules.php +++ b/config/snort/snort_rules.php @@ -379,7 +379,7 @@ require_once("guiconfig.inc"); include_once("head.inc"); $if_friendly = snort_get_friendly_interface($pconfig['interface']); -$pgtitle = "Snort: {$if_friendly} Category: $currentruleset"; +$pgtitle = gettext("Snort: Interface {$if_friendly} - Rules: {$currentruleset}"); ?> diff --git a/config/snort/snort_rules_flowbits.php b/config/snort/snort_rules_flowbits.php index 92330ebf..2f13d6bc 100644 --- a/config/snort/snort_rules_flowbits.php +++ b/config/snort/snort_rules_flowbits.php @@ -59,6 +59,7 @@ if(!isset($_SESSION['org_referer'])) $referrer = $_SESSION['org_referer']; if ($_POST['cancel']) { + session_start(); unset($_SESSION['org_referer']); session_write_close(); header("Location: {$referrer}"); @@ -69,6 +70,9 @@ $id = $_GET['id']; if (isset($_POST['id'])) $id = $_POST['id']; if (is_null($id)) { + session_start(); + unset($_SESSION['org_referer']); + session_write_close(); header("Location: /snort/snort_interfaces.php"); exit; } @@ -158,7 +162,7 @@ function truncate($string, $length) { $supplist = snort_load_suppress_sigs($a_nat[$id]); $if_friendly = snort_get_friendly_interface($a_nat[$id]['interface']); -$pgtitle = "Services: Snort: {$if_friendly} Flowbit Rules"; +$pgtitle = gettext("Snort: Interface {$if_friendly} - Flowbit Rules"); include_once("head.inc"); ?> diff --git a/config/snort/snort_rulesets.php b/config/snort/snort_rulesets.php index 3c613f84..3b7ef916 100755 --- a/config/snort/snort_rulesets.php +++ b/config/snort/snort_rulesets.php @@ -71,16 +71,20 @@ $no_snort_files = false; $no_community_files = false; /* Test rule categories currently downloaded to $SNORTDIR/rules and set appropriate flags */ -if (($etpro == 'off' || empty($etpro)) && $emergingdownload == 'on') - $test = glob("{$snortdir}/rules/emerging-*.rules"); -elseif ($etpro == 'on' && ($emergingdownload == 'off' || empty($emergingdownload))) - $test = glob("{$snortdir}/rules/etpro-*.rules"); +if (($etpro == 'off' || empty($etpro)) && $emergingdownload == 'on') { + $test = glob("{$snortdir}/rules/" . ET_OPEN_FILE_PREFIX . "*.rules"); + $et_type = "ET Open"; +} +elseif ($etpro == 'on' && ($emergingdownload == 'off' || empty($emergingdownload))) { + $test = glob("{$snortdir}/rules/" . ET_PRO_FILE_PREFIX . "*.rules"); + $et_type = "ET Pro"; +} if (empty($test)) $no_emerging_files = true; -$test = glob("{$snortdir}/rules/snort*.rules"); +$test = glob("{$snortdir}/rules/" . VRT_FILE_PREFIX . "*.rules"); if (empty($test)) $no_snort_files = true; -if (!file_exists("{$snortdir}/rules/GPLv2_community.rules")) +if (!file_exists("{$snortdir}/rules/" . GPL_FILE_PREFIX . "community.rules")) $no_community_files = true; if (($snortdownload == 'off') || ($a_nat[$id]['ips_policy_enable'] != 'on')) @@ -188,25 +192,25 @@ if ($_POST['selectall']) { } if ($emergingdownload == 'on') { - $files = glob("{$snortdir}/rules/emerging-*.rules"); + $files = glob("{$snortdir}/rules/" . ET_OPEN_FILE_PREFIX . "*.rules"); foreach ($files as $file) $rulesets[] = basename($file); } elseif ($etpro == 'on') { - $files = glob("{$snortdir}/rules/etpro-*.rules"); + $files = glob("{$snortdir}/rules/" . ET_PRO_FILE_PREFIX . "*.rules"); foreach ($files as $file) $rulesets[] = basename($file); } if ($snortcommunitydownload == 'on') { - $files = glob("{$snortdir}/rules/*_community.rules"); + $files = glob("{$snortdir}/rules/" . GPL_FILE_PREFIX . "community.rules"); foreach ($files as $file) $rulesets[] = basename($file); } /* Include the Snort VRT rules only if enabled and no IPS policy is set */ if ($snortdownload == 'on' && $a_nat[$id]['ips_policy_enable'] == 'off') { - $files = glob("{$snortdir}/rules/snort*.rules"); + $files = glob("{$snortdir}/rules/" . VRT_FILE_PREFIX . "*.rules"); foreach ($files as $file) $rulesets[] = basename($file); } @@ -223,7 +227,7 @@ if ($_POST['selectall']) { $enabled_rulesets_array = explode("||", $a_nat[$id]['rulesets']); $if_friendly = snort_get_friendly_interface($pconfig['interface']); -$pgtitle = "Snort: Interface {$if_friendly} Categories"; +$pgtitle = gettext("Snort: Interface {$if_friendly} - Categories"); include_once("head.inc"); ?> @@ -309,7 +313,7 @@ if ($savemsg) {
" . gettext("10000000") . "" . @@ -1158,17 +1204,216 @@ include_once("head.inc"); "10,000,000" . gettext(" bytes. (10 MB)"); ?>
-   " . gettext("\$HOME_NET") . ""; ?>.
-
+ + + + + + + + +
+   " . gettext("\$HOME_NET") . ""; ?>. + "/>
+
onclick="ftp_telnet_enable_change();"> + " . gettext("Checked") . ""; ?>.
+   " . gettext("stateful") . "."; ?>
+
> + " . gettext("Checked") . ""; ?>.
> + " . gettext("Not Checked") . ""; ?>.
> + " . gettext("Checked") . ""; ?>.
> + " . gettext("Checked") . ""; ?>.
+ + " . gettext("0") . "" . + gettext(" to disable. Default is ") . "" . gettext("20.") . "";?>
+
+
+ + + + + + + + + + + + + + $v): ?> + + + + + + +
+ "> + + ">
+ "> + "all") : ?> + + "> + + "> + +
+
+ + + + + + + + + + + + + + $v): ?> + + + + + + +
+ "> + + ">
+ "> + "all") : ?> + + "> + + "> + +
+
+ > + +
+ " . gettext("Global Settings") . "" . gettext(" tab."); ?> +
+
+ " . gettext("25") . ".";?> +
+ > + " . gettext("Not Checked") . "."; ?>
> - " . gettext("Checked") . ""; ?>.
> - " . gettext("Checked") . ""; ?>.
> - " . gettext("Checked") . ""; ?>.
- > - -
- -
- +
  - ', ''); ?> + " . gettext("Note: ") . "" . gettext("Auto-enabled rules generating unwanted alerts should have their GID:SID added to the Suppression List for the interface."); ?>
@@ -343,23 +347,23 @@ if ($savemsg) {
- +
+ - - + - - + + - + - + - + + + /> @@ -436,7 +441,7 @@ if ($savemsg) { - + @@ -459,11 +464,11 @@ if ($savemsg) { $filename = basename($filename); if (substr($filename, -5) != "rules") continue; - if (strstr($filename, "emerging-") && $emergingdownload == 'on') + if (strstr($filename, ET_OPEN_FILE_PREFIX) && $emergingdownload == 'on') $emergingrules[] = $filename; - else if (strstr($filename, "etpro-") && $etpro == 'on') + else if (strstr($filename, ET_PRO_FILE_PREFIX) && $etpro == 'on') $emergingrules[] = $filename; - else if (strstr($filename, "snort") && $snortdownload == 'on') { + else if (strstr($filename, VRT_FILE_PREFIX) && $snortdownload == 'on') { if (strstr($filename, ".so.rules")) $snortsorules[] = $filename; else @@ -589,6 +594,18 @@ function enable_change() var endis = !(document.iform.ips_policy_enable.checked); document.iform.ips_policy.disabled=endis; + if (endis) { + document.getElementById("ips_row1").style.display="none"; + document.getElementById("ips_row2").style.display="none"; + document.getElementById("ips_col1").className="vexpl"; + document.getElementById("ips_col2").className="vexpl"; + } + else { + document.getElementById("ips_row1").style.display="table-row"; + document.getElementById("ips_row2").style.display="table-row"; + document.getElementById("ips_col1").className="vncell"; + document.getElementById("ips_col2").className="vtable"; + } for (var i = 0; i < document.iform.elements.length; i++) { if (document.iform.elements[i].type == 'checkbox') { var str = document.iform.elements[i].value; @@ -597,6 +614,10 @@ function enable_change() } } } + +// Set initial state of dynamic HTML form controls +enable_change(); + diff --git a/config/snort/snort_select_alias.php b/config/snort/snort_select_alias.php new file mode 100644 index 00000000..bd0a02e2 --- /dev/null +++ b/config/snort/snort_select_alias.php @@ -0,0 +1,245 @@ +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); +require_once("functions.inc"); +require_once("/usr/local/pkg/snort/snort.inc"); + +// Set who called us so we can return to the correct page with +// the RETURN button. We will just trust this User-Agent supplied +// string for now. Check and make sure we don't store this page +// as the referrer so we don't stick the user in a loop. +session_start(); +if(!isset($_SESSION['org_referer']) && strpos($_SERVER['HTTP_REFERER'], $SERVER['PHP_SELF']) === false) + $_SESSION['org_referer'] = substr($_SERVER['HTTP_REFERER'], 0, strpos($_SERVER['HTTP_REFERER'], "?")); +$referrer = $_SESSION['org_referer']; + +// Get the QUERY_STRING from our referrer so we can return it. +if(!isset($_SESSION['org_querystr'])) + $_SESSION['org_querystr'] = $_SERVER['QUERY_STRING']; +$querystr = $_SESSION['org_querystr']; + +// Retrieve any passed QUERY STRING or POST variables +$type = $_GET['type']; +$varname = $_GET['varname']; +$multi_ip = $_GET['multi_ip']; +if (isset($_POST['type'])) + $type = $_POST['type']; +if (isset($_POST['varname'])) + $varname = $_POST['varname']; +if (isset($_POST['multi_ip'])) + $multi_ip = $_POST['multi_ip']; + +// Make sure we have a valid VARIABLE name +// and ALIAS TYPE, or else bail out. +if (is_null($type) || is_null($varname)) { + session_start(); + unset($_SESSION['org_referer']); + unset($_SESSION['org_querystr']); + session_write_close(); + header("Location: http://{$referrer}?{$querystr}"); + exit; +} + +// Used to track if any selectable Aliases are found +$selectablealias = false; + +// Initialize required array variables as necessary +if (!is_array($config['aliases']['alias'])) + $config['aliases']['alias'] = array(); +$a_aliases = $config['aliases']['alias']; + +// Create an array consisting of the Alias types the +// caller wants to select from. +$a_types = array(); +$a_types = explode('|', strtolower($type)); + +// Create a proper title based on the Alias types +$title = "a"; +switch (count($a_types)) { + case 1: + $title .= " " . ucfirst($a_types[0]); + break; + + case 2: + $title .= " " . ucfirst($a_types[0]) . " or " . ucfirst($a_types[1]); + break; + + case 3: + $title .= " " . ucfirst($a_types[0]) . ", " . ucfirst($a_types[1]) . " or " . ucfirst($a_types[2]); + + default: + $title = "n"; +} + +if ($_POST['cancel']) { + session_start(); + unset($_SESSION['org_referer']); + unset($_SESSION['org_querystr']); + session_write_close(); + header("Location: {$referrer}?{$querystr}"); + exit; +} + +if ($_POST['save']) { + if(empty($_POST['alias'])) + $input_errors[] = gettext("No alias is selected. Please select an alias before saving."); + + // if no errors, write new entry to conf + if (!$input_errors) { + $selection = $_POST['alias']; + session_start(); + unset($_SESSION['org_referer']); + unset($_SESSION['org_querystr']); + session_write_close(); + header("Location: {$referrer}?{$querystr}&varvalue={$selection}"); + exit; + } +} + +$pgtitle = gettext("Snort: Select {$title} Alias"); +include("head.inc"); + +?> + + + + + + + + +
+
onClick="enable_change()"/>   -
  - ',''); ?> +   + " . gettext("Note: ") . "" . gettext("You must be using the Snort VRT rules to use this option."); ?>
  
 
-
- />
+ + + + + + + + + + + + + + + + + + + + + +

+
+ + + + + + + + + + + + + + + + + + "; + $textse = ""; + $disable = true; + $tooltip = gettext("Aliases resolving to multiple address entries cannot be used with the destination target."); + } + elseif (($alias['type'] == "network" || $alias['type'] == "host") && + trim(filter_expand_alias($alias['name'])) == "") { + $textss = ""; + $textse = ""; + $disable = true; + $tooltip = gettext("Aliases representing a FQDN host cannot be used in Snort preprocessor configurations."); + } + else { + $textss = ""; + $textse = ""; + $disable = ""; + $selectablealias = true; + $tooltip = gettext("Selected entry will be imported. Click to toggle selection."); + } + ?> + + + + + + + + + + +
+ +
+ 10) { + echo "..."; + } + ?> + +   +
+
+ "/> +
+ "/>    + "/> +
+
+
+ + + + + diff --git a/config/snort/snort_stream5_engine.php b/config/snort/snort_stream5_engine.php new file mode 100644 index 00000000..33fade40 --- /dev/null +++ b/config/snort/snort_stream5_engine.php @@ -0,0 +1,670 @@ +. + * All rights reserved. + * + * modified for the pfsense snort package + * Copyright (C) 2009-2010 Robert Zelaya. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * 1. Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +require_once("guiconfig.inc"); +require_once("/usr/local/pkg/snort/snort.inc"); + +global $g; + +$snortdir = SNORTDIR; + +/* Retrieve required array index values from QUERY string if available. */ +/* 'id' is the [rule] array index, and 'eng_id' is the index for the */ +/* stream5_tcp_engine's [item] array. */ +$id = $_GET['id']; +$eng_id = $_GET['eng_id']; + +/* See if values are in our form's POST content */ +if (isset($_POST['id'])) + $id = $_POST['id']; +if (isset($_POST['eng_id'])) + $eng_id = $_POST['eng_id']; + +/* If we don't have a [rule] index specified, exit */ +if (is_null($id)) { + // Clear and close out any session variable we created + session_start(); + unset($_SESSION['stream5_client_import']); + session_write_close(); + header("Location: /snort/snort_interfaces.php"); + exit; +} + +/* Initialize pointer into requisite section of [config] array */ +if (!is_array($config['installedpackages']['snortglobal']['rule'])) + $config['installedpackages']['snortglobal']['rule'] = array(); +if (!is_array($config['installedpackages']['snortglobal']['rule'][$id]['stream5_tcp_engine']['item'])) + $config['installedpackages']['snortglobal']['rule'][$id]['stream5_tcp_engine']['item'] = array(); +$a_nat = &$config['installedpackages']['snortglobal']['rule'][$id]['stream5_tcp_engine']['item']; + +$pconfig = array(); + +// If this is a new entry, intialize it with default values +if (empty($a_nat[$eng_id])) { + $def = array( "name" => "engine_{$eng_id}", "bind_to" => "", "policy" => "bsd", "timeout" => 30, + "max_queued_bytes" => 1048576, "detect_anomalies" => "off", "overlap_limit" => 0, + "max_queued_segs" => 2621, "require_3whs" => "off", "startup_3whs_timeout" => 0, + "no_reassemble_async" => "off", "dont_store_lg_pkts" => "off", "max_window" => 0, + "use_static_footprint_sizes" => "off", "check_session_hijacking" => "off", "ports_client" => "default", + "ports_both" => "default", "ports_server" => "none" ); + // See if this is initial entry and set to "default" if true + if ($eng_id < 1) { + $def['name'] = "default"; + $def['bind_to'] = "all"; + } + $pconfig = $def; +} +else { + $pconfig = $a_nat[$eng_id]; + + // Check for empty values and set sensible defaults + if (empty($pconfig['policy'])) + $pconfig['policy'] = "bsd"; + if (empty($pconfig['timeout'])) + $pconfig['timeout'] = 30; + if (empty($pconfig['max_queued_bytes']) && $pconfig['max_queued_bytes'] <> 0) + $pconfig['max_queued_bytes'] = 1048576; + if (empty($pconfig['detect_anomalies'])) + $pconfig['detect_anomalies'] = "off"; + if (empty($pconfig['overlap_limit'])) + $pconfig['overlap_limit'] = 0; + if (empty($pconfig['max_queued_segs']) && $pconfig['max_queued_segs'] <> 0) + $pconfig['max_queued_segs'] = 2621; + if (empty($pconfig['require_3whs'])) + $pconfig['require_3whs'] = "off"; + if (empty($pconfig['startup_3whs_timeout'])) + $pconfig['startup_3whs_timeout'] = 0; + if (empty($pconfig['no_reassemble_async'])) + $pconfig['no_reassemble_async'] = "off"; + if (empty($pconfig['dont_store_lg_pkts'])) + $pconfig['dont_store_lg_pkts'] = "off"; + if (empty($pconfig['max_window'])) + $pconfig['max_window'] = 0; + if (empty($pconfig['use_static_footprint_sizes'])) + $pconfig['use_static_footprint_sizes'] = "off"; + if (empty($pconfig['check_session_hijacking'])) + $pconfig['check_session_hijacking'] = "off"; + if (empty($pconfig['ports_client'])) + $pconfig['ports_client'] = "default"; + if (empty($pconfig['ports_both'])) + $pconfig['ports_both'] = "default"; + if (empty($pconfig['ports_server'])) + $pconfig['ports_server'] = "none"; +} + +if ($_POST['Cancel']) { + // Clear and close out any session variable we created + session_start(); + unset($_SESSION['stream5_client_import']); + session_write_close(); + header("Location: /snort/snort_preprocessors.php?id={$id}#stream5_row"); + exit; +} + +// Check for returned "selected alias" if action is import +if ($_GET['act'] == "import") { + session_start(); + if (($_GET['varname'] == "bind_to" || $_GET['varname'] == "ports_client" || $_GET['varname'] == "ports_both" || $_GET['varname'] == "ports_server") + && !empty($_GET['varvalue'])) { + $pconfig[$_GET['varname']] = $_GET['varvalue']; + if(!isset($_SESSION['stream5_client_import'])) + $_SESSION['stream5_client_import'] = array(); + + $_SESSION['stream5_client_import'][$_GET['varname']] = $_GET['varvalue']; + if (isset($_SESSION['stream5_client_import']['bind_to'])) + $pconfig['bind_to'] = $_SESSION['stream5_client_import']['bind_to']; + if (isset($_SESSION['stream5_client_import']['ports_client'])) + $pconfig['ports_client'] = $_SESSION['stream5_client_import']['ports_client']; + if (isset($_SESSION['stream5_client_import']['ports_both'])) + $pconfig['ports_both'] = $_SESSION['stream5_client_import']['ports_both']; + if (isset($_SESSION['stream5_client_import']['ports_server'])) + $pconfig['ports_server'] = $_SESSION['stream5_client_import']['ports_server']; + } + // If "varvalue" is empty, user likely hit CANCEL in Select Dialog, + // so restore any saved values. + elseif (empty($_GET['varvalue'])) { + if (isset($_SESSION['stream5_client_import']['bind_to'])) + $pconfig['bind_to'] = $_SESSION['stream5_client_import']['bind_to']; + if (isset($_SESSION['stream5_client_import']['ports_client'])) + $pconfig['ports_client'] = $_SESSION['stream5_client_import']['ports_client']; + if (isset($_SESSION['stream5_client_import']['ports_both'])) + $pconfig['ports_both'] = $_SESSION['stream5_client_import']['ports_both']; + if (isset($_SESSION['stream5_client_import']['ports_server'])) + $pconfig['ports_server'] = $_SESSION['stream5_client_import']['ports_server']; + } + else { + unset($_SESSION['stream5_client_import']); + unset($_SESSION['org_referer']); + unset($_SESSION['org_querystr']); + session_write_close(); + } +} + +if ($_POST['Submit']) { + // Clear and close out any session variable we created + session_start(); + unset($_SESSION['org_referer']); + unset($_SESSION['org_querystr']); + unset($_SESSION['stream5_client_import']); + session_write_close(); + + /* Grab all the POST values and save in new temp array */ + $engine = array(); + if ($_POST['stream5_name']) { $engine['name'] = trim($_POST['stream5_name']); } else { $engine['name'] = "default"; } + + /* Validate input values before saving */ + if ($_POST['stream5_bind_to']) { + if (is_alias($_POST['stream5_bind_to'])) { + $engine['bind_to'] = $_POST['stream5_bind_to']; + if (!snort_is_single_addr_alias($_POST['stream5_bind_to'])) + $input_errors[] = gettext("An Alias that evaluates to a single IP address or CIDR network is required for the 'Bind-To IP Address' value."); + } + elseif (strtolower(trim($_POST['stream5_bind_to'])) == "all") + $engine['bind_to'] = "all"; + else + $input_errors[] = gettext("You must provide a valid Alias or the reserved keyword 'all' for the 'Bind-To IP Address' value."); + } + else { + $input_errors[] = gettext("The 'Bind-To IP Address' value cannot be blank. Provide a valid Alias or the reserved keyword 'all'."); + } + if ($_POST['stream5_ports_client']) { + if (is_alias($_POST['stream5_ports_client'])) + $engine['ports_client'] = $_POST['stream5_ports_client']; + elseif (strtolower(trim($_POST['stream5_ports_client'])) == "default") + $engine['ports_client'] = "default"; + elseif (strtolower(trim($_POST['stream5_ports_client'])) == "all") + $engine['ports_client'] = "all"; + elseif (strtolower(trim($_POST['stream5_ports_client'])) == "none") + $engine['ports_client'] = "none"; + else + $input_errors[] = gettext("You must provide a valid Alias or one of the reserved keywords 'default', 'all' or 'none' for the TCP Target Ports 'ports_client' value."); + } + if ($_POST['stream5_ports_both']) { + if (is_alias($_POST['stream5_ports_both'])) + $engine['ports_both'] = $_POST['stream5_ports_both']; + elseif (strtolower(trim($_POST['stream5_ports_both'])) == "default") + $engine['ports_both'] = "default"; + elseif (strtolower(trim($_POST['stream5_ports_both'])) == "all") + $engine['ports_both'] = "all"; + elseif (strtolower(trim($_POST['stream5_ports_both'])) == "none") + $engine['ports_both'] = "none"; + else + $input_errors[] = gettext("You must provide a valid Alias or one of the reserved keywords 'default', 'all' or 'none' for the TCP Target Ports 'ports_both' value."); + } + if ($_POST['stream5_ports_server']) { + if (is_alias($_POST['stream5_ports_server'])) + $engine['ports_server'] = $_POST['stream5_ports_server']; + elseif (strtolower(trim($_POST['stream5_ports_server'])) == "default") + $engine['ports_server'] = "default"; + elseif (strtolower(trim($_POST['stream5_ports_server'])) == "all") + $engine['ports_server'] = "all"; + elseif (strtolower(trim($_POST['stream5_ports_server'])) == "none") + $engine['ports_server'] = "none"; + else + $input_errors[] = gettext("You must provide a valid Alias or one of the reserved keywords 'default', 'all' or 'none' for the TCP Target Ports 'ports_server' value."); + } + + if (!empty($_POST['stream5_timeout']) || $_POST['stream5_timeout'] == 0) { + $engine['timeout'] = $_POST['stream5_timeout']; + if ($engine['timeout'] < 1 || $engine['timeout'] > 86400) + $input_errors[] = gettext("The value for Timeout must be between 1 and 86400."); + } + else + $engine['timeout'] = 60; + + if (!empty($_POST['stream5_max_queued_bytes']) || $_POST['stream5_max_queued_bytes'] == 0) { + $engine['max_queued_bytes'] = $_POST['stream5_max_queued_bytes']; + if ($engine['max_queued_bytes'] <> 0) { + if ($engine['max_queued_bytes'] < 1024 || $engine['max_queued_bytes'] > 1073741824) + $input_errors[] = gettext("The value for Max_Queued_Bytes must either be 0, or between 1024 and 1073741824."); + } + } + else + $engine['max_queued_bytes'] = 1048576; + + if (!empty($_POST['stream5_max_queued_segs']) || $_POST['stream5_max_queued_segs'] == 0) { + $engine['max_queued_segs'] = $_POST['stream5_max_queued_segs']; + if ($engine['max_queued_segs'] <> 0) { + if ($engine['max_queued_segs'] < 2 || $engine['max_queued_segs'] > 1073741824) + $input_errors[] = gettext("The value for Max_Queued_Segs must either be 0, or between 2 and 1073741824."); + } + } + else + $engine['max_queued_segs'] = 2621; + + if (!empty($_POST['stream5_overlap_limit']) || $_POST['stream5_overlap_limit'] == 0) { + $engine['overlap_limit'] = $_POST['stream5_overlap_limit']; + if ($engine['overlap_limit'] < 0 || $engine['overlap_limit'] > 255) + $input_errors[] = gettext("The value for Overlap_Limit must be between 0 and 255."); + } + else + $engine['overlap_limit'] = 0; + + if (!empty($_POST['stream5_max_window']) || $_POST['stream5_max_window'] == 0) { + $engine['max_window'] = $_POST['stream5_max_window']; + if ($engine['max_window'] < 0 || $engine['max_window'] > 1073725440) + $input_errors[] = gettext("The value for Max_Window must be between 0 and 1073725440."); + } + else + $engine['max_window'] = 0; + + if (!empty($_POST['stream5_3whs_startup_timeout']) || $_POST['stream5_3whs_startup_timeout'] == 0) { + $engine['startup_3whs_timeout'] = $_POST['stream5_3whs_startup_timeout']; + if ($engine['startup_3whs_timeout'] < 0 || $engine['startup_3whs_timeout'] > 86400) + $input_errors[] = gettext("The value for 3whs_Startup_Timeout must be between 0 and 86400."); + } + else + $engine['startup_3whs_timeout'] = 0; + + if ($_POST['stream5_policy']) { $engine['policy'] = $_POST['stream5_policy']; } else { $engine['policy'] = "bsd"; } + if ($_POST['stream5_ports']) { $engine['ports'] = $_POST['stream5_ports']; } else { $engine['ports'] = "both"; } + + $engine['detect_anomalies'] = $_POST['stream5_detect_anomalies'] ? 'on' : 'off'; + $engine['require_3whs'] = $_POST['stream5_require_3whs'] ? 'on' : 'off'; + $engine['no_reassemble_async'] = $_POST['stream5_no_reassemble_async'] ? 'on' : 'off'; + $engine['dont_store_lg_pkts'] = $_POST['stream5_dont_store_lg_pkts'] ? 'on' : 'off'; + $engine['use_static_footprint_sizes'] = $_POST['stream5_use_static_footprint_sizes'] ? 'on' : 'off'; + $engine['check_session_hijacking'] = $_POST['stream5_check_session_hijacking'] ? 'on' : 'off'; + + /* Can only have one "all" Bind_To address */ + if ($engine['bind_to'] == "all" && $engine['name'] <> "default") + $input_errors[] = gettext("Only one default Stream5 Engine can be bound to all addresses."); + $pconfig = $engine; + + /* if no errors, write new entry to conf */ + if (!$input_errors) { + if (isset($eng_id) && $a_nat[$eng_id]) { + $a_nat[$eng_id] = $engine; + } + else + $a_nat[] = $engine; + + /* Reorder the engine array to ensure the */ + /* 'bind_to=all' entry is at the bottom */ + /* if it contains more than one entry. */ + if (count($a_nat) > 1) { + $i = -1; + foreach ($a_nat as $f => $v) { + if ($v['bind_to'] == "all") { + $i = $f; + break; + } + } + /* Only relocate the entry if we */ + /* found it, and it's not already */ + /* at the end. */ + if ($i > -1 && ($i < (count($a_nat) - 1))) { + $tmp = $a_nat[$i]; + unset($a_nat[$i]); + $a_nat[] = $tmp; + } + } + + /* Now write the new engine array to conf */ + write_config(); + + header("Location: /snort/snort_preprocessors.php?id={$id}#stream5_row"); + exit; + } +} + +$if_friendly = snort_get_friendly_interface($config['installedpackages']['snortglobal']['rule'][$id]['interface']); +$pgtitle = gettext("Snort: Interface {$if_friendly} - Stream5 Preprocessor TCP Engine"); +include_once("head.inc"); + +?> + + + + + +
+ + +
+ + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ >  + "default") + echo gettext("Name or description for this engine. (Max 25 characters)"); + else + echo "" . gettext("The name for the 'default' engine is read-only.") . "";?>
+ " . gettext("default") . ""; ?>.
+
+ "default") : ?> + + + + + + + + +
  + "/>
" . gettext("all") . "" . gettext(". Only a single IP address or single network in CIDR form may be specified. ") . + gettext("IP Lists are not allowed.");?>

+ " . gettext("Supplied value must be a pre-configured Alias or the keyword 'all'. ");?> + +   + " . gettext("IP List for the default engine is read-only and must be 'all'.") . "";?>
+
+ +
+   " . gettext("BSD") . ""; ?>.

+
+
+ + + + + + + + + + + + + + + + +
  + " . gettext("default") . ".";?> + "/> +
  + " . gettext("none") . ".";?> + "/> +
  + " . gettext("default") . ".";?> + "/> +
+
+ +

+ " . + gettext("Supplied value must be a pre-configured Alias or the keyword 'default', 'all' or 'none'.");?>
+ " . gettext("Most users should leave these settings at their default values.");?> +
+ + 0" . gettext(" and max is ") . + "1073725440" . gettext(" (65535 left shift 14)"); ?>.

+ 0" . gettext(" (unlimited). This option is intended to prevent a DoS against Stream5 by " . + "attacker using an abnormally large window, so using a value near the maximum is discouraged."); ?>
+
+ + 1" . gettext(" and max is ") . + "86400" . gettext(" (approximately 1 day)"); ?>.

+ 30" . gettext(" seconds."); ?>
+
+ + " . gettext("1024") . "" . gettext(" and Maximum is ") . + "" . gettext("1073741824") . "" . gettext(" (") . + "" . gettext("0") . "" . gettext(" means Maximum)."); ?>

+ + 1048576"); ?>.
+
+ + " . gettext("2") . "" . gettext(" and Maximum is ") . + "" . gettext("1073741824") . "" . gettext(" (") . + "" . gettext("0") . "" . gettext(" means Maximum)");?>.

+ 2621"); ?>.
+
+ + 0" . gettext(" (unlimited) and Maximum is ") . "" . + gettext("255") . ""; ?>.

+ 0" . gettext(" (unlimited)."); ?>
+
> + " . gettext("Not Checked") . ""; ?>.
+
> + " . gettext("Not Checked") . ""; ?>.

+ +
onclick="stream5_3whs_enable_change();"> + " . gettext("Not Checked") . ""; ?>.
+
+ + " . gettext("0") . "" . + gettext(" and Max is ") . "" . gettext("86400") . "" . gettext(" (1 day).");?>

+ " . gettext("0") . + "" . gettext(", (don't consider existing sessions established).");?> +
> + " . gettext("Not Checked") . ""; ?>. +
> + " . gettext("Not Checked") . ""; ?>.
+
+ > + " . gettext("Not Checked") . ""; ?>.

+ " . gettext("Warning: ") . "" . + gettext("Enabling this option could result in missed packets. Recommended setting is not checked."); ?> +
  + "> +      + ">
+
+
+
+ + + + + + + -- cgit v1.2.3