From b5787668a4dbf9f22ffeb4a2ab9b39fec2a9184b Mon Sep 17 00:00:00 2001 From: Ermal Date: Sun, 22 Jul 2012 14:30:38 +0000 Subject: Keep a copy of the so rules for each instance to enable only selected ones --- config/snort/snort.inc | 80 +++++++++++++++++++++------ config/snort/snort_check_for_rule_updates.php | 13 ++++- config/snort/snort_preprocessors.php | 33 +++++++++++ 3 files changed, 105 insertions(+), 21 deletions(-) diff --git a/config/snort/snort.inc b/config/snort/snort.inc index d29833a2..3e9a46da 100644 --- a/config/snort/snort.inc +++ b/config/snort/snort.inc @@ -1002,9 +1002,9 @@ function snort_generate_conf($snortcfg) { "{$snortlogdir}/snort_{$if_real}{$snort_uuid}", "{$snortlogdir}/snort_{$if_real}{$snort_uuid}/barnyard2", "{$snortcfgdir}/preproc_rules", - "dynamicrules" => "/usr/local/lib/snort/dynamicrules", + "dynamicrules" => "{$snortcfgdir}/dynamicrules", "dynamicengine" => "/usr/local/lib/snort/dynamicengine", - "dynamicpreprocessor" => "/usr/local/lib/snort/dynamicpreprocessor" + "dynamicpreprocessor" => "{$snortcfgdir}/dynamicpreprocessor" ); foreach ($snort_dirs as $dir) { if (!is_dir($dir)) @@ -1079,6 +1079,15 @@ function snort_generate_conf($snortcfg) { "DCERPC_BRIGHTSTORE" => "6503,6504" ); + $portvardef = ""; + foreach ($snort_ports as $alias => $avalue) { + if (!empty($snortcfg["def_{$alias}"]) && is_alias($snortcfg["def_{$alias}"])) + $snort_ports[$alias] = filter_expand_alias($snortcfg["def_{$alias}"]); + $snort_ports[$alias] = str_replace(" ", ",", trim($snort_ports[$alias])); + $portvardef .= "portvar " . strtoupper($alias) . " [" . $snort_ports[$alias] . "]\n"; + } + + ///////////////////////////// /* preprocessor code */ /* def perform_stat */ @@ -1168,6 +1177,24 @@ preprocessor ftp_telnet_protocol: ftp client default \ bounce yes \ telnet_cmds yes +EOD; + + $pop_ports = str_replace(",", " ", $snort_ports['pop3_ports']); + $pop_preproc = << $avalue) { - if (!empty($snortcfg["def_{$alias}"]) && is_alias($snortcfg["def_{$alias}"])) - $snort_ports[$alias] = filter_expand_alias($snortcfg["def_{$alias}"]); - $snort_ports[$alias] = str_replace(" ", ",", trim($snort_ports[$alias])); - $portvardef .= "portvar " . strtoupper($alias) . " [" . $snort_ports[$alias] . "]\n"; - } - $def_ssl_ports_ignore = str_replace(",", " ", $snort_ports['ssl_ports']); - + $snort_preproc_libs = array( + "dce_rpc_2" => "dce2_preproc", "dns_preprocessor" => "dns_preproc", "ftp_preprocessor" => "ftptelnet_preproc", "imap_preproc" => "imap_preproc", + "pop_preproc" => "pop_preproc", "reputation_preproc" => "reputation_preproc", "sensitive_data" => "sdf_preproc", + "sip_preproc" => "sip_preproc", "smtp_preprocessor" => "smtp_preproc", "ssh_preproc" => "ssh_preproc", + "ssl_preproc" => "ssl_preproc" + ); $snort_preproc = array ( - "perform_stat", "http_inspect", "other_preprocs", "ftp_preprocessor", "smtp_preprocessor", - "sf_portscan", "dce_rpc_2", "dns_preprocessor", "sensitive_data" + "perform_stat", "http_inspect", "other_preprocs", "ftp_preprocessor", "smtp_preprocessor", "ssl_preproc", + "sf_portscan", "dce_rpc_2", "dns_preprocessor", "sensitive_data", "pop_preproc", "imap_preproc" ); $snort_preprocessors = ""; foreach ($snort_preproc as $preproc) { if ($snortcfg[$preproc] == 'on') { /* NOTE: The $$ is not a bug. Its a advanced feature of php */ - $snort_preprocessors .= $$preproc; - $snort_preprocessors .= "\n"; + if (!empty($snort_preproc_libs[$preproc])) { + $preproclib = "libsf_" . $snort_preproc_libs[$preproc]; + if (!file_exists($snort_dirs['dynamicpreprocessor'] . "{$preproclib}.so")) { + if (file_exists("/usr/local/lib/dynamicpreprocessor/{$preproclib}.so")) { + @copy("/usr/local/lib/dynamicpreprocessor/{$preproclib}.so", $snort_dirs['dynamicpreprocessor'] . "{$preproclib}.so"); + $snort_preprocessors .= $$preproc; + $snort_preprocessors .= "\n"; + } + } else { + $snort_preprocessors .= $$preproc; + $snort_preprocessors .= "\n"; + } + } else { + $snort_preprocessors .= $$preproc; + $snort_preprocessors .= "\n"; + } } } @@ -1330,6 +1375,8 @@ EOD; @copy("{$snortdir}/rules/{$file}", "{$rule_dir}/rules/{$file}"); if (substr($enabled_item, 0, 5) == "snort" && substr($enabled_item, -9) == ".so.rules") { $slib = substr($enabled_item, 6, -6); + if (!file_exists("{$snort_dirs['dynamicrules']}/{$slib}")) + @copy("/usr/local/lib/snort/dynamicrules/{$slib}", "{$snort_dirs['dynamicrules']}/{$slib}"); if (file_exists("{$snort_dirs['dynamicrules']}/{$slib}") && file_exists("{$snortcfgdir}/rules/{$enabled_item}")) $selected_rules_sections .= "include \$RULE_PATH/{$enabled_item}\n"; @@ -1398,9 +1445,6 @@ preprocessor stream5_icmp: {$snort_preprocessors} -# Ignore SSL and Encryption # -preprocessor ssl: ports { {$def_ssl_ports_ignore} }, trustservers, noinspect_encrypted - # Snort Output Logs # output alert_csv: alert timestamp,sig_generator,sig_id,sig_rev,msg,proto,src,srcport,dst,dstport,id,classification,priority {$alertsystemlog_type} diff --git a/config/snort/snort_check_for_rule_updates.php b/config/snort/snort_check_for_rule_updates.php index 112682d2..6221b38f 100644 --- a/config/snort/snort_check_for_rule_updates.php +++ b/config/snort/snort_check_for_rule_updates.php @@ -301,9 +301,16 @@ function snort_apply_customizations($snortcfg, $if_real) { else { update_status(gettext("Your set of configured rules are being copied...")); log_error(gettext("Your set of configured rules are being copied...")); - $files = explode("||", $snortcfg['rulesets']); - foreach ($files as $file) - @copy("{$snortdir}/rules/{$file}", "{$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}/rules/{$file}"); + $enabled_rulesets_array = explode("||", $snortcfg['rulesets']); + foreach($enabled_rulesets_array as $enabled_item) { + @copy("{$snortdir}/rules/{$file}", "{$rule_dir}/rules/{$file}"); + if (substr($enabled_item, 0, 5) == "snort" && substr($enabled_item, -9) == ".so.rules") { + $slib = substr($enabled_item, 6, -6); + if (file_exists("/usr/local/lib/snort/dynamicrules/{$slib}")) + @copy("/usr/local/lib/snort/dynamicrules/{$slib}", "{$snort_dirs['dynamicrules']}/{$slib}"); + + } + } @copy("{$snortdir}/classification.config", "{$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}/classification.config"); @copy("{$snortdir}/gen-msg.map", "{$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}/gen-msg.map"); diff --git a/config/snort/snort_preprocessors.php b/config/snort/snort_preprocessors.php index e38418e5..84313577 100644 --- a/config/snort/snort_preprocessors.php +++ b/config/snort/snort_preprocessors.php @@ -66,6 +66,9 @@ if (isset($id) && $a_nat[$id]) { $pconfig['dce_rpc_2'] = $a_nat[$id]['dce_rpc_2']; $pconfig['dns_preprocessor'] = $a_nat[$id]['dns_preprocessor']; $pconfig['sensitive_data'] = $a_nat[$id]['sensitive_data']; + $pconfig['ssl_preproc'] = $a_nat[$id]['ssl_preproc']; + $pconfig['pop_preproc'] = $a_nat[$id]['pop_preproc']; + $pconfig['imap_preproc'] = $a_nat[$id]['imap_preproc']; } if ($_POST) { @@ -88,6 +91,9 @@ if ($_POST) { $natent['dce_rpc_2'] = $_POST['dce_rpc_2'] ? 'on' : 'off'; $natent['dns_preprocessor'] = $_POST['dns_preprocessor'] ? 'on' : 'off'; $natent['sensitive_data'] = $_POST['sensitive_data'] ? 'on' : 'off'; + $natent['ssl_preproc'] = $_POST['ssl_preproc'] ? 'on' : 'off'; + $natent['pop_preproc'] = $_POST['pop_preproc'] ? 'on' : 'off'; + $natent['imap_preproc'] = $_POST['imap_preproc'] ? 'on' : 'off'; if (isset($id) && $a_nat[$id]) $a_nat[$id] = $natent; @@ -262,6 +268,24 @@ include_once("head.inc"); onClick="enable_change(false)">
Normalize/Decode FTP and Telnet traffic and protocol anomalies. + + Enable
+ SMTP Normalizer + + onClick="enable_change(false)">
+ Normalize/Decode POP protocol for enforcement and buffer overflows. + + + Enable
+ SMTP Normalizer + + onClick="enable_change(false)">
+ Normalize/Decode IMAP protocol for enforcement and buffer overflows. + Enable
SMTP Normalizer @@ -300,6 +324,15 @@ include_once("head.inc"); The DNS preprocessor decodes DNS Response traffic and detects some vulnerabilities. + + Enable
SSL Data + + + onClick="enable_change(false)">
+ SSL data searches for irregularities during SSL protocol exchange + + Enable
Sensitive Data -- cgit v1.2.3