From 5e7d09815eee1c6cc3f32fea57d65eb6950c7525 Mon Sep 17 00:00:00 2001 From: robiscool Date: Wed, 13 Jun 2012 16:53:11 -0700 Subject: snort-dev, move snort-dev2 code to snort-dev --- config/snort-dev/snort_preprocessors.php | 391 +++++++++++++++++++++++++++++++ 1 file changed, 391 insertions(+) create mode 100644 config/snort-dev/snort_preprocessors.php (limited to 'config/snort-dev/snort_preprocessors.php') diff --git a/config/snort-dev/snort_preprocessors.php b/config/snort-dev/snort_preprocessors.php new file mode 100644 index 00000000..7f89d433 --- /dev/null +++ b/config/snort-dev/snort_preprocessors.php @@ -0,0 +1,391 @@ +. + Copyright (C) 2008-2009 Robert Zelaya. + Copyright (C) 2011 Ermal Luci + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ + + +require_once("guiconfig.inc"); +require_once("/usr/local/pkg/snort/snort_gui.inc"); +require_once("/usr/local/pkg/snort/snort.inc"); + +global $g; + +if (!is_array($config['installedpackages']['snortglobal']['rule'])) { + $config['installedpackages']['snortglobal']['rule'] = array(); +} +$a_nat = &$config['installedpackages']['snortglobal']['rule']; + +$id = $_GET['id']; +if (isset($_POST['id'])) + $id = $_POST['id']; +if (is_null($id)) { + header("Location: /snort/snort_interfaces.php"); + exit; +} + +$pconfig = array(); +if (isset($id) && $a_nat[$id]) { + $pconfig = $a_nat[$id]; + + /* new options */ + $pconfig['perform_stat'] = $a_nat[$id]['perform_stat']; + $pconfig['def_ssl_ports_ignore'] = $a_nat[$id]['def_ssl_ports_ignore']; + $pconfig['flow_depth'] = $a_nat[$id]['flow_depth']; + $pconfig['max_queued_bytes'] = $a_nat[$id]['max_queued_bytes']; + $pconfig['max_queued_segs'] = $a_nat[$id]['max_queued_segs']; + $pconfig['perform_stat'] = $a_nat[$id]['perform_stat']; + $pconfig['http_inspect'] = $a_nat[$id]['http_inspect']; + $pconfig['other_preprocs'] = $a_nat[$id]['other_preprocs']; + $pconfig['ftp_preprocessor'] = $a_nat[$id]['ftp_preprocessor']; + $pconfig['smtp_preprocessor'] = $a_nat[$id]['smtp_preprocessor']; + $pconfig['sf_portscan'] = $a_nat[$id]['sf_portscan']; + $pconfig['dce_rpc_2'] = $a_nat[$id]['dce_rpc_2']; + $pconfig['dns_preprocessor'] = $a_nat[$id]['dns_preprocessor']; +} + +/* convert fake interfaces to real */ +$if_real = snort_get_real_interface($pconfig['interface']); +$snort_uuid = $pconfig['uuid']; + +/* alert file */ +$d_snortconfdirty_path = "/var/run/snort_conf_{$snort_uuid}_{$if_real}.dirty"; + +if ($_POST) { + + $natent = array(); + $natent = $pconfig; + + /* if no errors write to conf */ + if (!$input_errors) { + /* post new options */ + $natent['perform_stat'] = $_POST['perform_stat']; + if ($_POST['def_ssl_ports_ignore'] != "") { $natent['def_ssl_ports_ignore'] = $_POST['def_ssl_ports_ignore']; }else{ $natent['def_ssl_ports_ignore'] = ""; } + if ($_POST['flow_depth'] != "") { $natent['flow_depth'] = $_POST['flow_depth']; }else{ $natent['flow_depth'] = ""; } + if ($_POST['max_queued_bytes'] != "") { $natent['max_queued_bytes'] = $_POST['max_queued_bytes']; }else{ $natent['max_queued_bytes'] = ""; } + if ($_POST['max_queued_segs'] != "") { $natent['max_queued_segs'] = $_POST['max_queued_segs']; }else{ $natent['max_queued_segs'] = ""; } + + $natent['perform_stat'] = $_POST['perform_stat'] ? 'on' : 'off'; + $natent['http_inspect'] = $_POST['http_inspect'] ? 'on' : 'off'; + $natent['other_preprocs'] = $_POST['other_preprocs'] ? 'on' : 'off'; + $natent['ftp_preprocessor'] = $_POST['ftp_preprocessor'] ? 'on' : 'off'; + $natent['smtp_preprocessor'] = $_POST['smtp_preprocessor'] ? 'on' : 'off'; + $natent['sf_portscan'] = $_POST['sf_portscan'] ? 'on' : 'off'; + $natent['dce_rpc_2'] = $_POST['dce_rpc_2'] ? 'on' : 'off'; + $natent['dns_preprocessor'] = $_POST['dns_preprocessor'] ? 'on' : 'off'; + + if (isset($id) && $a_nat[$id]) + $a_nat[$id] = $natent; + else { + if (is_numeric($after)) + array_splice($a_nat, $after+1, 0, array($natent)); + else + $a_nat[] = $natent; + } + + write_config(); + + $if_real = snort_get_real_interface($pconfig['interface']); + sync_snort_package_config(); + + /* after click go to this page */ + header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); + header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . ' GMT' ); + header( 'Cache-Control: no-store, no-cache, must-revalidate' ); + header( 'Cache-Control: post-check=0, pre-check=0', false ); + header( 'Pragma: no-cache' ); + header("Location: snort_preprocessors.php?id=$id"); + exit; + } +} + +$pgtitle = "Snort: Interface $id$if_real Preprocessors and Flow"; +include_once("head.inc"); + +?> + + + +' . $pgtitle . '

';}?> + + + +
+ + + + +
+ + + + +
+ +
+ + + .noid { + position:absolute; + top:10px; + left:0px; + width:94%; + background:#FCE9C0; + background-position: 15px; + border-top:2px solid #DBAC48; + border-bottom:2px solid #DBAC48; + padding: 15px 10px 85% 50px; + } + +
You can not edit options without an interface ID.
\n"; + + } + ?> + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
 Note: +
+ Rules may be dependent on preprocessors!
+ Defaults will be used when there is no user input.
Performance + Statistics
Enable + onClick="enable_change(false)"> Performance Statistics for this + interface.
HTTP Inspect Settings
Enable + onClick="enable_change(false)"> Use HTTP Inspect to + Normalize/Decode and detect HTTP traffic and protocol anomalies.
HTTP server flow depth + + + + +
-1 + to 1460 (-1 disables HTTP + inspect, 0 enables all HTTP inspect)
+ Amount of HTTP server response payload to inspect. Snort's + performance may increase by adjusting this value.
+ Setting this value too low may cause false negatives. Values above 0 + are specified in bytes. Default value is 0
+
Stream5 Settings
Max Queued Bytes + + + + +
+ Minimum is 1024, Maximum is 1073741824 + ( default value is 1048576, 0 + means Maximum )
+ The number of bytes to be queued for reassembly for TCP sessions in + memory. Default value is 1048576
+
Max Queued Segs + + + + +
+ Minimum is 2, Maximum is 1073741824 + ( default value is 2621, 0 means + Maximum )
+ The number of segments to be queued for reassembly for TCP sessions + in memory. Default value is 2621
+
General Preprocessor + Settings
Enable
+ RPC Decode and Back Orifice detector		 + onClick="enable_change(false)">
+ Normalize/Decode RPC traffic and detects Back Orifice traffic on the + network.
Enable
+ FTP and Telnet Normalizer		 + onClick="enable_change(false)">
+ Normalize/Decode FTP and Telnet traffic and protocol anomalies.
Enable
+ SMTP Normalizer		 + onClick="enable_change(false)">
+ Normalize/Decode SMTP protocol for enforcement and buffer overflows.
Enable
+ Portscan Detection		 + onClick="enable_change(false)">
+ Detects various types of portscans and portsweeps.
Enable
+ DCE/RPC2 Detection		 + onClick="enable_change(false)">
+ The DCE/RPC preprocessor detects and decodes SMB and DCE/RPC + traffic.
Enable
+ DNS Detection		 + onClick="enable_change(false)">
+ The DNS preprocessor decodes DNS Response traffic and detects some + vulnerabilities.
Define SSL_IGNORE
+ Encrypted traffic should be ignored by Snort + for both performance reasons and to reduce false positives.
+ Default: "443 465 563 636 989 990 992 993 994 995". Please + use spaces and not commas.
  + +
 Note: +
+ Please save your settings before you click Start.
+ +
+
+ +
+ + + + -- cgit v1.2.3