From 3d6508062e1067ad3d64d2bd3874aa76620c8028 Mon Sep 17 00:00:00 2001 From: robiscool Date: Fri, 15 Jun 2012 13:11:49 -0700 Subject: snort-dev, remove win line ends that git auto adds, fix major startup issues, fix stop issues, add new log options --- config/snort-dev/snort_preprocessors.php | 782 +++++++++++++++---------------- 1 file changed, 391 insertions(+), 391 deletions(-) (limited to 'config/snort-dev/snort_preprocessors.php') diff --git a/config/snort-dev/snort_preprocessors.php b/config/snort-dev/snort_preprocessors.php index 7f89d433..0faf4257 100644 --- a/config/snort-dev/snort_preprocessors.php +++ b/config/snort-dev/snort_preprocessors.php @@ -1,391 +1,391 @@ -. - Copyright (C) 2008-2009 Robert Zelaya. - Copyright (C) 2011 Ermal Luci - All rights reserved. - - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. - */ - - -require_once("guiconfig.inc"); -require_once("/usr/local/pkg/snort/snort_gui.inc"); -require_once("/usr/local/pkg/snort/snort.inc"); - -global $g; - -if (!is_array($config['installedpackages']['snortglobal']['rule'])) { - $config['installedpackages']['snortglobal']['rule'] = array(); -} -$a_nat = &$config['installedpackages']['snortglobal']['rule']; - -$id = $_GET['id']; -if (isset($_POST['id'])) - $id = $_POST['id']; -if (is_null($id)) { - header("Location: /snort/snort_interfaces.php"); - exit; -} - -$pconfig = array(); -if (isset($id) && $a_nat[$id]) { - $pconfig = $a_nat[$id]; - - /* new options */ - $pconfig['perform_stat'] = $a_nat[$id]['perform_stat']; - $pconfig['def_ssl_ports_ignore'] = $a_nat[$id]['def_ssl_ports_ignore']; - $pconfig['flow_depth'] = $a_nat[$id]['flow_depth']; - $pconfig['max_queued_bytes'] = $a_nat[$id]['max_queued_bytes']; - $pconfig['max_queued_segs'] = $a_nat[$id]['max_queued_segs']; - $pconfig['perform_stat'] = $a_nat[$id]['perform_stat']; - $pconfig['http_inspect'] = $a_nat[$id]['http_inspect']; - $pconfig['other_preprocs'] = $a_nat[$id]['other_preprocs']; - $pconfig['ftp_preprocessor'] = $a_nat[$id]['ftp_preprocessor']; - $pconfig['smtp_preprocessor'] = $a_nat[$id]['smtp_preprocessor']; - $pconfig['sf_portscan'] = $a_nat[$id]['sf_portscan']; - $pconfig['dce_rpc_2'] = $a_nat[$id]['dce_rpc_2']; - $pconfig['dns_preprocessor'] = $a_nat[$id]['dns_preprocessor']; -} - -/* convert fake interfaces to real */ -$if_real = snort_get_real_interface($pconfig['interface']); -$snort_uuid = $pconfig['uuid']; - -/* alert file */ -$d_snortconfdirty_path = "/var/run/snort_conf_{$snort_uuid}_{$if_real}.dirty"; - -if ($_POST) { - - $natent = array(); - $natent = $pconfig; - - /* if no errors write to conf */ - if (!$input_errors) { - /* post new options */ - $natent['perform_stat'] = $_POST['perform_stat']; - if ($_POST['def_ssl_ports_ignore'] != "") { $natent['def_ssl_ports_ignore'] = $_POST['def_ssl_ports_ignore']; }else{ $natent['def_ssl_ports_ignore'] = ""; } - if ($_POST['flow_depth'] != "") { $natent['flow_depth'] = $_POST['flow_depth']; }else{ $natent['flow_depth'] = ""; } - if ($_POST['max_queued_bytes'] != "") { $natent['max_queued_bytes'] = $_POST['max_queued_bytes']; }else{ $natent['max_queued_bytes'] = ""; } - if ($_POST['max_queued_segs'] != "") { $natent['max_queued_segs'] = $_POST['max_queued_segs']; }else{ $natent['max_queued_segs'] = ""; } - - $natent['perform_stat'] = $_POST['perform_stat'] ? 'on' : 'off'; - $natent['http_inspect'] = $_POST['http_inspect'] ? 'on' : 'off'; - $natent['other_preprocs'] = $_POST['other_preprocs'] ? 'on' : 'off'; - $natent['ftp_preprocessor'] = $_POST['ftp_preprocessor'] ? 'on' : 'off'; - $natent['smtp_preprocessor'] = $_POST['smtp_preprocessor'] ? 'on' : 'off'; - $natent['sf_portscan'] = $_POST['sf_portscan'] ? 'on' : 'off'; - $natent['dce_rpc_2'] = $_POST['dce_rpc_2'] ? 'on' : 'off'; - $natent['dns_preprocessor'] = $_POST['dns_preprocessor'] ? 'on' : 'off'; - - if (isset($id) && $a_nat[$id]) - $a_nat[$id] = $natent; - else { - if (is_numeric($after)) - array_splice($a_nat, $after+1, 0, array($natent)); - else - $a_nat[] = $natent; - } - - write_config(); - - $if_real = snort_get_real_interface($pconfig['interface']); - sync_snort_package_config(); - - /* after click go to this page */ - header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); - header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . ' GMT' ); - header( 'Cache-Control: no-store, no-cache, must-revalidate' ); - header( 'Cache-Control: post-check=0, pre-check=0', false ); - header( 'Pragma: no-cache' ); - header("Location: snort_preprocessors.php?id=$id"); - exit; - } -} - -$pgtitle = "Snort: Interface $id$if_real Preprocessors and Flow"; -include_once("head.inc"); - -?> - - - -' . $pgtitle . '

';}?> - - - -
- - - - -
- - - - -
- -
- - - .noid { - position:absolute; - top:10px; - left:0px; - width:94%; - background:#FCE9C0; - background-position: 15px; - border-top:2px solid #DBAC48; - border-bottom:2px solid #DBAC48; - padding: 15px 10px 85% 50px; - } - -
You can not edit options without an interface ID.
\n"; - - } - ?> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 Note: -
- Rules may be dependent on preprocessors!
- Defaults will be used when there is no user input.
Performance - Statistics
Enable - onClick="enable_change(false)"> Performance Statistics for this - interface.
HTTP Inspect Settings
Enable - onClick="enable_change(false)"> Use HTTP Inspect to - Normalize/Decode and detect HTTP traffic and protocol anomalies.
HTTP server flow depth - - - - -
-1 - to 1460 (-1 disables HTTP - inspect, 0 enables all HTTP inspect)
- Amount of HTTP server response payload to inspect. Snort's - performance may increase by adjusting this value.
- Setting this value too low may cause false negatives. Values above 0 - are specified in bytes. Default value is 0
-
Stream5 Settings
Max Queued Bytes - - - - -
- Minimum is 1024, Maximum is 1073741824 - ( default value is 1048576, 0 - means Maximum )
- The number of bytes to be queued for reassembly for TCP sessions in - memory. Default value is 1048576
-
Max Queued Segs - - - - -
- Minimum is 2, Maximum is 1073741824 - ( default value is 2621, 0 means - Maximum )
- The number of segments to be queued for reassembly for TCP sessions - in memory. Default value is 2621
-
General Preprocessor - Settings
Enable
- RPC Decode and Back Orifice detector		 - onClick="enable_change(false)">
- Normalize/Decode RPC traffic and detects Back Orifice traffic on the - network.
Enable
- FTP and Telnet Normalizer		 - onClick="enable_change(false)">
- Normalize/Decode FTP and Telnet traffic and protocol anomalies.
Enable
- SMTP Normalizer		 - onClick="enable_change(false)">
- Normalize/Decode SMTP protocol for enforcement and buffer overflows.
Enable
- Portscan Detection		 - onClick="enable_change(false)">
- Detects various types of portscans and portsweeps.
Enable
- DCE/RPC2 Detection		 - onClick="enable_change(false)">
- The DCE/RPC preprocessor detects and decodes SMB and DCE/RPC - traffic.
Enable
- DNS Detection		 - onClick="enable_change(false)">
- The DNS preprocessor decodes DNS Response traffic and detects some - vulnerabilities.
Define SSL_IGNORE
- Encrypted traffic should be ignored by Snort - for both performance reasons and to reduce false positives.
- Default: "443 465 563 636 989 990 992 993 994 995". Please - use spaces and not commas.
  - -
 Note: -
- Please save your settings before you click Start.
- -
-
- -
- - - - +. + Copyright (C) 2008-2009 Robert Zelaya. + Copyright (C) 2011 Ermal Luci + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ + + +require_once("guiconfig.inc"); +require_once("/usr/local/pkg/snort/snort_gui.inc"); +require_once("/usr/local/pkg/snort/snort.inc"); + +global $g; + +if (!is_array($config['installedpackages']['snortglobal']['rule'])) { + $config['installedpackages']['snortglobal']['rule'] = array(); +} +$a_nat = &$config['installedpackages']['snortglobal']['rule']; + +$id = $_GET['id']; +if (isset($_POST['id'])) + $id = $_POST['id']; +if (is_null($id)) { + header("Location: /snort/snort_interfaces.php"); + exit; +} + +$pconfig = array(); +if (isset($id) && $a_nat[$id]) { + $pconfig = $a_nat[$id]; + + /* new options */ + $pconfig['perform_stat'] = $a_nat[$id]['perform_stat']; + $pconfig['def_ssl_ports_ignore'] = $a_nat[$id]['def_ssl_ports_ignore']; + $pconfig['flow_depth'] = $a_nat[$id]['flow_depth']; + $pconfig['max_queued_bytes'] = $a_nat[$id]['max_queued_bytes']; + $pconfig['max_queued_segs'] = $a_nat[$id]['max_queued_segs']; + $pconfig['perform_stat'] = $a_nat[$id]['perform_stat']; + $pconfig['http_inspect'] = $a_nat[$id]['http_inspect']; + $pconfig['other_preprocs'] = $a_nat[$id]['other_preprocs']; + $pconfig['ftp_preprocessor'] = $a_nat[$id]['ftp_preprocessor']; + $pconfig['smtp_preprocessor'] = $a_nat[$id]['smtp_preprocessor']; + $pconfig['sf_portscan'] = $a_nat[$id]['sf_portscan']; + $pconfig['dce_rpc_2'] = $a_nat[$id]['dce_rpc_2']; + $pconfig['dns_preprocessor'] = $a_nat[$id]['dns_preprocessor']; +} + +/* convert fake interfaces to real */ +$if_real = snort_get_real_interface($pconfig['interface']); +$snort_uuid = $pconfig['uuid']; + +/* alert file */ +$d_snortconfdirty_path = "/var/run/snort_conf_{$snort_uuid}_{$if_real}.dirty"; + +if ($_POST) { + + $natent = array(); + $natent = $pconfig; + + /* if no errors write to conf */ + if (!$input_errors) { + /* post new options */ + $natent['perform_stat'] = $_POST['perform_stat']; + if ($_POST['def_ssl_ports_ignore'] != "") { $natent['def_ssl_ports_ignore'] = $_POST['def_ssl_ports_ignore']; }else{ $natent['def_ssl_ports_ignore'] = ""; } + if ($_POST['flow_depth'] != "") { $natent['flow_depth'] = $_POST['flow_depth']; }else{ $natent['flow_depth'] = ""; } + if ($_POST['max_queued_bytes'] != "") { $natent['max_queued_bytes'] = $_POST['max_queued_bytes']; }else{ $natent['max_queued_bytes'] = ""; } + if ($_POST['max_queued_segs'] != "") { $natent['max_queued_segs'] = $_POST['max_queued_segs']; }else{ $natent['max_queued_segs'] = ""; } + + $natent['perform_stat'] = $_POST['perform_stat'] ? 'on' : 'off'; + $natent['http_inspect'] = $_POST['http_inspect'] ? 'on' : 'off'; + $natent['other_preprocs'] = $_POST['other_preprocs'] ? 'on' : 'off'; + $natent['ftp_preprocessor'] = $_POST['ftp_preprocessor'] ? 'on' : 'off'; + $natent['smtp_preprocessor'] = $_POST['smtp_preprocessor'] ? 'on' : 'off'; + $natent['sf_portscan'] = $_POST['sf_portscan'] ? 'on' : 'off'; + $natent['dce_rpc_2'] = $_POST['dce_rpc_2'] ? 'on' : 'off'; + $natent['dns_preprocessor'] = $_POST['dns_preprocessor'] ? 'on' : 'off'; + + if (isset($id) && $a_nat[$id]) + $a_nat[$id] = $natent; + else { + if (is_numeric($after)) + array_splice($a_nat, $after+1, 0, array($natent)); + else + $a_nat[] = $natent; + } + + write_config(); + + $if_real = snort_get_real_interface($pconfig['interface']); + sync_snort_package_config(); + + /* after click go to this page */ + header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); + header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . ' GMT' ); + header( 'Cache-Control: no-store, no-cache, must-revalidate' ); + header( 'Cache-Control: post-check=0, pre-check=0', false ); + header( 'Pragma: no-cache' ); + header("Location: snort_preprocessors.php?id=$id"); + exit; + } +} + +$pgtitle = "Snort: Interface $id$if_real Preprocessors and Flow"; +include_once("head.inc"); + +?> + + + +' . $pgtitle . '

';}?> + + + +
+ + + + +
+ + + + +
+ +
+ + + .noid { + position:absolute; + top:10px; + left:0px; + width:94%; + background:#FCE9C0; + background-position: 15px; + border-top:2px solid #DBAC48; + border-bottom:2px solid #DBAC48; + padding: 15px 10px 85% 50px; + } + +
You can not edit options without an interface ID.
\n"; + + } + ?> + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
 Note: +
+ Rules may be dependent on preprocessors!
+ Defaults will be used when there is no user input.
Performance + Statistics
Enable + onClick="enable_change(false)"> Performance Statistics for this + interface.
HTTP Inspect Settings
Enable + onClick="enable_change(false)"> Use HTTP Inspect to + Normalize/Decode and detect HTTP traffic and protocol anomalies.
HTTP server flow depth + + + + +
-1 + to 1460 (-1 disables HTTP + inspect, 0 enables all HTTP inspect)
+ Amount of HTTP server response payload to inspect. Snort's + performance may increase by adjusting this value.
+ Setting this value too low may cause false negatives. Values above 0 + are specified in bytes. Default value is 0
+
Stream5 Settings
Max Queued Bytes + + + + +
+ Minimum is 1024, Maximum is 1073741824 + ( default value is 1048576, 0 + means Maximum )
+ The number of bytes to be queued for reassembly for TCP sessions in + memory. Default value is 1048576
+
Max Queued Segs + + + + +
+ Minimum is 2, Maximum is 1073741824 + ( default value is 2621, 0 means + Maximum )
+ The number of segments to be queued for reassembly for TCP sessions + in memory. Default value is 2621
+
General Preprocessor + Settings
Enable
+ RPC Decode and Back Orifice detector		 + onClick="enable_change(false)">
+ Normalize/Decode RPC traffic and detects Back Orifice traffic on the + network.
Enable
+ FTP and Telnet Normalizer		 + onClick="enable_change(false)">
+ Normalize/Decode FTP and Telnet traffic and protocol anomalies.
Enable
+ SMTP Normalizer		 + onClick="enable_change(false)">
+ Normalize/Decode SMTP protocol for enforcement and buffer overflows.
Enable
+ Portscan Detection		 + onClick="enable_change(false)">
+ Detects various types of portscans and portsweeps.
Enable
+ DCE/RPC2 Detection		 + onClick="enable_change(false)">
+ The DCE/RPC preprocessor detects and decodes SMB and DCE/RPC + traffic.
Enable
+ DNS Detection		 + onClick="enable_change(false)">
+ The DNS preprocessor decodes DNS Response traffic and detects some + vulnerabilities.
Define SSL_IGNORE
+ Encrypted traffic should be ignored by Snort + for both performance reasons and to reduce false positives.
+ Default: "443 465 563 636 989 990 992 993 994 995". Please + use spaces and not commas.
  + +
 Note: +
+ Please save your settings before you click Start.
+ +
+
+ +
+ + + + -- cgit v1.2.3