From 42dd785bc1645024688058d372c08931bc1c9c08 Mon Sep 17 00:00:00 2001 From: robiscool Date: Fri, 11 Sep 2009 04:17:13 -0700 Subject: snort-dev, update pfsense_rules.tar.gz and md5, update pfsense voip rules sids, update auto rule update and rule block time --- .../pfsense_rules/pfsense_rules.tar.gz.md5 | 2 +- .../pfsense_rules/rules/pfsense-voip.rules | 11 +- config/snort-dev/snort.inc | 128 +++++++++++++++++++-- config/snort-dev/snort.xml | 45 +++++++- config/snort-dev/snort_check_for_rule_updates.php | 10 +- 5 files changed, 172 insertions(+), 24 deletions(-) (limited to 'config/snort-dev') diff --git a/config/snort-dev/pfsense_rules/pfsense_rules.tar.gz.md5 b/config/snort-dev/pfsense_rules/pfsense_rules.tar.gz.md5 index 97a55e1d..0aede4a0 100644 --- a/config/snort-dev/pfsense_rules/pfsense_rules.tar.gz.md5 +++ b/config/snort-dev/pfsense_rules/pfsense_rules.tar.gz.md5 @@ -1 +1 @@ -101 \ No newline at end of file +102 \ No newline at end of file diff --git a/config/snort-dev/pfsense_rules/rules/pfsense-voip.rules b/config/snort-dev/pfsense_rules/rules/pfsense-voip.rules index 3142c0b6..12f2fdf2 100644 --- a/config/snort-dev/pfsense_rules/rules/pfsense-voip.rules +++ b/config/snort-dev/pfsense_rules/rules/pfsense-voip.rules @@ -1,11 +1,10 @@ -alert ip any any -> $HOME_NET $SIP_PROXY_PORTS (msg:"OPTIONS SIP scan"; content:"OPTIONS"; depth:7; threshold: type both , track by_src, count 30, seconds 3; sid:5000004; rev:1;) +alert ip any any -> $HOME_NET $SIP_PROXY_PORTS (msg:"OPTIONS SIP scan"; content:"OPTIONS"; depth:7; threshold: type both , track by_src, count 30, seconds 3; sid:5000001; rev:1;) # Excessive number of SIP 4xx Responses Does not work -#### alert ip any any -> $SIP_PROXY_IP $SIP_PROXY_PORTS (msg:"Excessive number of SIP 4xx Responses - possible user or password guessing attack"; pcre:"/^SIP\/2.0 4\d{2}"; threshold: type both, track by_src, count 100, seconds 60; sid:5000008; rev:1;) -alert ip any any -> $SIP_PROXY_IP $SIP_PROXY_PORTS (msg:"Ghost call attack"; content:"SIP/2.0 180"; depth:11; threshold: type both, track by_src, count 100, seconds 60; sid:5000009; rev:1;) - +#### alert ip any any -> $SIP_PROXY_IP $SIP_PROXY_PORTS (msg:"Excessive number of SIP 4xx Responses - possible user or password guessing attack"; pcre:"/^SIP\/2.0 4\d{2}"; threshold: type both, track by_src, count 100, seconds 60; sid:5000002; rev:1;) +alert ip any any -> $SIP_PROXY_IP $SIP_PROXY_PORTS (msg:"Ghost call attack"; content:"SIP/2.0 180"; depth:11; threshold: type both, track by_src, count 100, seconds 60; sid:5000003; rev:1;) # Rule for alerting of INVITE flood attack: -alert ip any any -> $SIP_PROXY_IP $SIP_PROXY_PORTS (msg:"INVITE message flooding"; content:"INVITE"; depth:6; threshold: type both , track by_src, count 100, seconds 60; sid:5000002; rev:1;) +alert ip any any -> $SIP_PROXY_IP $SIP_PROXY_PORTS (msg:"INVITE message flooding"; content:"INVITE"; depth:6; threshold: type both , track by_src, count 100, seconds 60; sid:5000004; rev:1;) # Rule for alerting of REGISTER flood attack: alert ip any any -> $SIP_PROXY_IP $SIP_PROXY_PORTS (msg:"REGISTER message flooding"; content:"REGISTER"; depth:8; threshold: type both , track by_src, count 100, seconds 60; sid:5000005; rev:1;) # Threshold rule for unauthorized responses: -alert ip any any -> $SIP_PROXY_IP $SIP_PROXY_PORTS (msg:"INVITE message flooding"; content:"SIP/2.0 401 Unauthorized"; depth:24; threshold: type both, track by_src, count 100, seconds 60; sid:5000008; rev:1;) +alert ip any any -> $SIP_PROXY_IP $SIP_PROXY_PORTS (msg:"INVITE message flooding"; content:"SIP/2.0 401 Unauthorized"; depth:24; threshold: type both, track by_src, count 100, seconds 60; sid:5000006; rev:1;) diff --git a/config/snort-dev/snort.inc b/config/snort-dev/snort.inc index e84c0e31..e1685124 100644 --- a/config/snort-dev/snort.inc +++ b/config/snort-dev/snort.inc @@ -64,17 +64,23 @@ function sync_package_snort_install() { exec("/bin/mkdir -p /var/log/snort"); exec("/bin/mkdir -p /usr/local/etc/snort/rules"); - exec("/bin/cp /usr/local/etc/snort/unicode.map-sample /usr/local/etc/snort/unicode.map"); - exec("/bin/cp /usr/local/etc/snort/classification.config-sample /usr/local/etc/snort/classification.config"); - exec("/bin/cp /usr/local/etc/snort/gen-msg.map-sample /usr/local/etc/snort/gen-msg.map"); - exec("/bin/cp /usr/local/etc/snort/generators-sample /usr/local/etc/snort/generators"); - exec("/bin/cp /usr/local/etc/snort/reference.config-sample /usr/local/etc/snort/reference.config"); - exec("/bin/cp /usr/local/etc/snort/sid-msg.map-sample /usr/local/etc/snort/sid-msg.map"); - exec("/bin/cp /usr/local/etc/snort/sid-sample /usr/local/etc/snort/sid"); - exec("/bin/cp /usr/local/etc/snort/threshold.conf-sample /usr/local/etc/snort/threshold.conf"); - exec("/bin/cp /usr/local/etc/snort/unicode.map-sample /usr/local/etc/snort/unicode.map"); - exec("/usr/bin/touch /usr/local/etc/snort/rules/local.rules"); - exec("/bin/rm -f /usr/local/etc/rc.d/snort"); + if(file_exists("/usr/local/etc/snort/unicode.map-sample")) { + exec("/bin/cp /usr/local/etc/snort/unicode.map-sample /usr/local/etc/snort/unicode.map"); + exec("/bin/cp /usr/local/etc/snort/classification.config-sample /usr/local/etc/snort/classification.config"); + exec("/bin/cp /usr/local/etc/snort/gen-msg.map-sample /usr/local/etc/snort/gen-msg.map"); + exec("/bin/cp /usr/local/etc/snort/generators-sample /usr/local/etc/snort/generators"); + exec("/bin/cp /usr/local/etc/snort/reference.config-sample /usr/local/etc/snort/reference.config"); + exec("/bin/cp /usr/local/etc/snort/sid-msg.map-sample /usr/local/etc/snort/sid-msg.map"); + exec("/bin/cp /usr/local/etc/snort/sid-sample /usr/local/etc/snort/sid"); + exec("/bin/cp /usr/local/etc/snort/threshold.conf-sample /usr/local/etc/snort/threshold.conf"); + exec("/bin/cp /usr/local/etc/snort/unicode.map-sample /usr/local/etc/snort/unicode.map"); + exec("/bin/rm -f /usr/local/etc/rc.d/snort"); + exec("/bin/rm /usr/local/lib/snort/dynamicrules/*"); + } + + if(!file_exists("/usr/local/etc/snort/rules/local.rules")) + exec("/bin/cp /usr/local/pkg/local.rules /usr/local/etc/snort/rules/local.rules"); + } function sync_package_snort() @@ -723,6 +729,106 @@ function snort_rm_blocked_install_cron($should_install) { snort_rm_blocked_install_cron(""); snort_rm_blocked_install_cron($snort_rm_blocked_false); + + /* set the snort rules update time */ + $snort_up_rules_info_ck = $config['installedpackages']['snort']['config'][0]['autorulesupdate7']; + if ($snort_up_rules_info_ck == "never_up") + $snort_up_rules_false = ""; + else + $snort_up_rules_false = "true"; + +function snort_up_rules_install_cron($should_install) { + global $config, $g; + + if ($g['booting']==true) + return; + + $is_installed = false; + + if(!$config['cron']['item']) + return; + + $x=0; + foreach($config['cron']['item'] as $item) { + if (strstr($item['command'], "snort_check_for_rule_updates.php")) { + $is_installed = true; + break; + } + $x++; + } + $snort_up_rules_info_ck = $config['installedpackages']['snort']['config'][0]['autorulesupdate7']; + if ($snort_up_rules_info_ck == "6h_up") { + $snort_up_rules_min = "*"; + $snort_up_rules_hr = "*/6"; + $snort_up_rules_mday = "*"; + $snort_up_rules_month = "*"; + $snort_up_rules_wday = "*"; + } + if ($snort_up_rules_info_ck == "12h_up") { + $snort_up_rules_min = "*"; + $snort_up_rules_hr = "*/12"; + $snort_up_rules_mday = "*"; + $snort_up_rules_month = "*"; + $snort_up_rules_wday = "*"; + } + if ($snort_up_rules_info_ck == "1d_up") { + $snort_up_rules_min = "*"; + $snort_up_rules_hr = "*"; + $snort_up_rules_mday = "*/1"; + $snort_up_rules_month = "*"; + $snort_up_rules_wday = "*"; + } + if ($snort_up_rules_info_ck == "4d_up") { + $snort_up_rules_min = "*"; + $snort_up_rules_hr = "*"; + $snort_up_rules_mday = "*/4"; + $snort_up_rules_month = "*"; + $snort_up_rules_wday = "*"; + } + if ($snort_up_rules_info_ck == "7d_up") { + $snort_up_rules_min = "*"; + $snort_up_rules_hr = "*"; + $snort_up_rules_mday = "*/7"; + $snort_up_rules_month = "*"; + $snort_up_rules_wday = "*"; + } + if ($snort_up_rules_info_ck == "28d_up") { + $snort_up_rules_min = "*"; + $snort_up_rules_hr = "*"; + $snort_up_rules_mday = "*/28"; + $snort_up_rules_month = "*"; + $snort_up_rules_wday = "*"; + } + switch($should_install) { + case true: + if(!$is_installed) { + $cron_item = array(); + $cron_item['minute'] = "$snort_up_rules_min"; + $cron_item['hour'] = "$snort_up_rules_hr"; + $cron_item['mday'] = "$snort_up_rules_mday"; + $cron_item['month'] = "$snort_up_rules_month"; + $cron_item['wday'] = "$snort_up_rules_wday"; + $cron_item['who'] = "root"; + $cron_item['command'] = "/usr/bin/nice -n20 /usr/local/bin/php -f /usr/local/pkg/snort_check_for_rule_updates.php >> /usr/local/etc/snort_bkup/snort_update.log"; + $config['cron']['item'][] = $cron_item; + write_config("Installed 15 minute filter reload for Time Based Rules"); + configure_cron(); + } + break; + case false: + if($is_installed == true) { + if($x > 0) { + unset($config['cron']['item'][$x]); + write_config(); + } + configure_cron(); + } + break; + } +} + +snort_up_rules_install_cron(""); +snort_up_rules_install_cron($snort_up_rules_false); /* open snort2c's whitelist for writing */ diff --git a/config/snort-dev/snort.xml b/config/snort-dev/snort.xml index 20655170..568f7d27 100644 --- a/config/snort-dev/snort.xml +++ b/config/snort-dev/snort.xml @@ -178,6 +178,11 @@ 077 http://www.pfsense.com/packages/config/snort-dev/snort_threshold.xml + + /usr/local/pkg/ + 077 + http://www.pfsense.com/packages/config/snort-dev/pfsense_rules/local.rules + Interface @@ -290,11 +295,43 @@ + + Update rules automatically - automaticrulesupdate - Checking this option will automatically check for and update rules once a week from snort.org. - checkbox + autorulesupdate7 + Please select the update times for rules. + select + + + + + + + + + Whitelist VPNs automatically @@ -328,9 +365,9 @@ - sync_package_snort(); + sync_package_snort(); sync_package_snort_install(); diff --git a/config/snort-dev/snort_check_for_rule_updates.php b/config/snort-dev/snort_check_for_rule_updates.php index 98cb82ae..0e851165 100644 --- a/config/snort-dev/snort_check_for_rule_updates.php +++ b/config/snort-dev/snort_check_for_rule_updates.php @@ -45,6 +45,12 @@ require_once("config.inc"); /usr/local/etc/snort/gen-msg.map"); +exec("/usr/local/bin/perl /usr/local/bin/create-sidmap.pl /usr/local/etc/snort/rules > /usr/local/etc/snort/gen-msg.map"); /* php code finish */ echo "The Rules update finished...\n"; -- cgit v1.2.3