From a15664ad7508450ae5709462cefafb7bb107c159 Mon Sep 17 00:00:00 2001 From: Ermal Date: Sun, 15 Jul 2012 21:08:48 +0000 Subject: Make sensitive data configurable --- config/snort/snort.inc | 19 +++++++++++++------ config/snort/snort_alerts.php | 3 +++ config/snort/snort_preprocessors.php | 11 +++++++++++ 3 files changed, 27 insertions(+), 6 deletions(-) diff --git a/config/snort/snort.inc b/config/snort/snort.inc index 54be4225..e7ba998b 100644 --- a/config/snort/snort.inc +++ b/config/snort/snort.inc @@ -1221,6 +1221,8 @@ preprocessor dns: \ EOD; + $sensitive_data = "preprocessor sensitive_data:\n"; + /* stream5 queued settings */ $def_max_queued_bytes_type = ''; if (!empty($snortcfg['max_queued_bytes'])) @@ -1257,7 +1259,7 @@ EOD; $snort_preproc = array ( "perform_stat", "http_inspect", "other_preprocs", "ftp_preprocessor", "smtp_preprocessor", - "sf_portscan", "dce_rpc_2", "dns_preprocessor" + "sf_portscan", "dce_rpc_2", "dns_preprocessor", "sensitive_data" ); $snort_preprocessors = ""; foreach ($snort_preproc as $preproc) { @@ -1274,9 +1276,16 @@ EOD; if (file_exists("{$snortcfgdir}/classification.config")) $snort_misc_include_rules .= "include {$snortcfgdir}/classification.config\n"; if (is_dir("{$snortdir}/preproc_rules")) { - foreach (glob("{$snortdir}/preproc_rules/*.rules") as $file) { - $file = basename($file); - $snort_misc_include_rules .= "include \$PREPROC_RULE_PATH/{$file}\n"; + if ($snortcfg['sensitive_data'] && file_exists("{$snortdir}/preproc_rules/sensitive-data.rules")) + $snort_misc_include_rules .= "include \$PREPROC_RULE_PATH/sensitive-data.rules/\n"; + + if (file_exists("{$snortdir}/preproc_rules/decoder.rules") && + file_exists("{$snortdir}/preproc_rules/preprocessor.rules")) { + $snort_misc_include_rules .= "include \$PREPROC_RULE_PATH/decoder.rules\n"; + $snort_misc_include_rules .= "include \$PREPROC_RULE_PATH/preprocessor.rules\n"; + } else { + $snort_misc_include_rules .= "config autogenerate_preprocessor_decoder_rules\n"; + log_error("Seems preprocessor/decoder rules are missing, enabling autogeneration of them"); } } else { $snort_misc_include_rules .= "config autogenerate_preprocessor_decoder_rules\n"; @@ -1351,8 +1360,6 @@ preprocessor stream5_tcp: policy BSD, ports both all{$def_max_queued_bytes_type} preprocessor stream5_udp: preprocessor stream5_icmp: -preprocessor sensitive_data: - {$snort_preprocessors} # Ignore SSL and Encryption # diff --git a/config/snort/snort_alerts.php b/config/snort/snort_alerts.php index e05bd938..73c67415 100644 --- a/config/snort/snort_alerts.php +++ b/config/snort/snort_alerts.php @@ -334,6 +334,9 @@ if (file_exists("/var/log/snort/snort_{$if_real}{$snort_uuid}/alert")) { + diff --git a/config/snort/snort_preprocessors.php b/config/snort/snort_preprocessors.php index 339c0168..6a5cca6e 100644 --- a/config/snort/snort_preprocessors.php +++ b/config/snort/snort_preprocessors.php @@ -65,6 +65,7 @@ if (isset($id) && $a_nat[$id]) { $pconfig['sf_portscan'] = $a_nat[$id]['sf_portscan']; $pconfig['dce_rpc_2'] = $a_nat[$id]['dce_rpc_2']; $pconfig['dns_preprocessor'] = $a_nat[$id]['dns_preprocessor']; + $pconfig['sensitive_data'] = $a_nat[$id]['sensitive_data']; } if ($_POST) { @@ -86,6 +87,7 @@ if ($_POST) { $natent['sf_portscan'] = $_POST['sf_portscan'] ? 'on' : 'off'; $natent['dce_rpc_2'] = $_POST['dce_rpc_2'] ? 'on' : 'off'; $natent['dns_preprocessor'] = $_POST['dns_preprocessor'] ? 'on' : 'off'; + $natent['sensitive_data'] = $_POST['sensitive_data'] ? 'on' : 'off'; if (isset($id) && $a_nat[$id]) $a_nat[$id] = $natent; @@ -298,6 +300,15 @@ include_once("head.inc"); The DNS preprocessor decodes DNS Response traffic and detects some vulnerabilities. + + Enable
Sensitive Data + + + onClick="enable_change(false)">
+ Sensisitive data searches for CC or SS# in data + +   -- cgit v1.2.3