From a42356458f46215de8718088c2f9143294532bca Mon Sep 17 00:00:00 2001 From: Ermal Date: Mon, 16 Jul 2012 08:43:35 +0000 Subject: Force use of aliases from pfSense for replacing snort var settings. Also make snort var settings generic and overridable in all of its definitions --- config/snort/snort_define_servers.php | 542 +++++++++------------------------- 1 file changed, 142 insertions(+), 400 deletions(-) (limited to 'config/snort/snort_define_servers.php') diff --git a/config/snort/snort_define_servers.php b/config/snort/snort_define_servers.php index f69209e5..3cf70bc9 100644 --- a/config/snort/snort_define_servers.php +++ b/config/snort/snort_define_servers.php @@ -48,47 +48,41 @@ if (!is_array($config['installedpackages']['snortglobal']['rule'])) { } $a_nat = &$config['installedpackages']['snortglobal']['rule']; -$pconfig = array(); -if (isset($id) && $a_nat[$id]) { - $pconfig = $a_nat[$id]; +/* NOTE: KEEP IN SYNC WITH SNORT.INC since global do not work quite well with package */ +/* define servers and ports snortdefservers */ +$snort_servers = array ( +"dns_servers" => "\$HOME_NET", "smtp_servers" => "\$HOME_NET", "http_servers" => "\$HOME_NET", +"www_servers" => "\$HOME_NET", "sql_servers" => "\$HOME_NET", "telnet_servers" => "\$HOME_NET", +"snmp_servers" => "\$HOME_NET", "ftp_servers" => "\$HOME_NET", "ssh_servers" => "\$HOME_NET", +"pop_servers" => "\$HOME_NET", "imap_servers" => "\$HOME_NET", "sip_proxy_ip" => "\$HOME_NET", +"sip_servers" => "\$HOME_NET", "rpc_servers" => "\$HOME_NET", +"aim_servers" => "64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24" +); - /* old options */ - $pconfig['def_dns_servers'] = $a_nat[$id]['def_dns_servers']; - $pconfig['def_dns_ports'] = $a_nat[$id]['def_dns_ports']; - $pconfig['def_smtp_servers'] = $a_nat[$id]['def_smtp_servers']; - $pconfig['def_smtp_ports'] = $a_nat[$id]['def_smtp_ports']; - $pconfig['def_mail_ports'] = $a_nat[$id]['def_mail_ports']; - $pconfig['def_http_servers'] = $a_nat[$id]['def_http_servers']; - $pconfig['def_www_servers'] = $a_nat[$id]['def_www_servers']; - $pconfig['def_http_ports'] = $a_nat[$id]['def_http_ports']; - $pconfig['def_sql_servers'] = $a_nat[$id]['def_sql_servers']; - $pconfig['def_oracle_ports'] = $a_nat[$id]['def_oracle_ports']; - $pconfig['def_mssql_ports'] = $a_nat[$id]['def_mssql_ports']; - $pconfig['def_telnet_servers'] = $a_nat[$id]['def_telnet_servers']; - $pconfig['def_telnet_ports'] = $a_nat[$id]['def_telnet_ports']; - $pconfig['def_snmp_servers'] = $a_nat[$id]['def_snmp_servers']; - $pconfig['def_snmp_ports'] = $a_nat[$id]['def_snmp_ports']; - $pconfig['def_ftp_servers'] = $a_nat[$id]['def_ftp_servers']; - $pconfig['def_ftp_ports'] = $a_nat[$id]['def_ftp_ports']; - $pconfig['def_ssh_servers'] = $a_nat[$id]['def_ssh_servers']; - $pconfig['def_ssh_ports'] = $a_nat[$id]['def_ssh_ports']; - $pconfig['def_pop_servers'] = $a_nat[$id]['def_pop_servers']; - $pconfig['def_pop2_ports'] = $a_nat[$id]['def_pop2_ports']; - $pconfig['def_pop3_ports'] = $a_nat[$id]['def_pop3_ports']; - $pconfig['def_imap_servers'] = $a_nat[$id]['def_imap_servers']; - $pconfig['def_imap_ports'] = $a_nat[$id]['def_imap_ports']; - $pconfig['def_sip_proxy_ip'] = $a_nat[$id]['def_sip_proxy_ip']; - $pconfig['def_sip_servers'] = $a_nat[$id]['def_sip_servers']; - $pconfig['def_sip_ports'] = $a_nat[$id]['def_sip_ports']; - $pconfig['def_sip_proxy_ports'] = $a_nat[$id]['def_sip_proxy_ports']; - $pconfig['def_auth_ports'] = $a_nat[$id]['def_auth_ports']; - $pconfig['def_finger_ports'] = $a_nat[$id]['def_finger_ports']; - $pconfig['def_irc_ports'] = $a_nat[$id]['def_irc_ports']; - $pconfig['def_nntp_ports'] = $a_nat[$id]['def_nntp_ports']; - $pconfig['def_rlogin_ports'] = $a_nat[$id]['def_rlogin_ports']; - $pconfig['def_rsh_ports'] = $a_nat[$id]['def_rsh_ports']; - $pconfig['def_ssl_ports'] = $a_nat[$id]['def_ssl_ports']; -} +/* if user has defined a custom ssh port, use it */ +if(is_array($config['system']['ssh']) && isset($config['system']['ssh']['port'])) + $ssh_port = $config['system']['ssh']['port']; +else + $ssh_port = "22"; +$snort_ports = array( +"dns_ports" => "53", "smtp_ports" => "25", "mail_ports" => "25,143,465,691", +"http_ports" => "80", "oracle_ports" => "1521", "mssql_ports" => "1433", +"telnet_ports" => "23","snmp_ports" => "161", "ftp_ports" => "21", +"ssh_ports" => $ssh_port, "pop2_ports" => "109", "pop3_ports" => "110", +"imap_ports" => "143", "sip_proxy_ports" => "5060:5090,16384:32768", +"sip_ports" => "5060:5090,16384:32768", "auth_ports" => "113", "finger_ports" => "79", +"irc_ports" => "6665,6666,6667,6668,6669,7000", "smb_ports" => "139,445", +"nntp_ports" => "119", "rlogin_ports" => "513", "rsh_ports" => "514", +"ssl_ports" => "443,465,563,636,989,990,992,993,994,995", +"file_data_ports" => "\$HTTP_PORTS,110,143", "shellcode_ports" => "!80", +"sun_rpc_ports" => "111,32770,32771,32772,32773,32774,32775,32776,32777,32778,32779", +"DCERPC_NCACN_IP_TCP" => "139,445", "DCERPC_NCADG_IP_UDP" => "138,1024:", +"DCERPC_NCACN_IP_LONG" => "135,139,445,593,1024:", "DCERPC_NCACN_UDP_LONG" => "135,1024:", +"DCERPC_NCACN_UDP_SHORT" => "135,593,1024:", "DCERPC_NCACN_TCP" => "2103,2105,2107", +"DCERPC_BRIGHTSTORE" => "6503,6504" +); + +$pconfig = $a_nat[$id]; /* convert fake interfaces to real */ $if_real = snort_get_real_interface($pconfig['interface']); @@ -105,51 +99,20 @@ if ($_POST) { /* if no errors write to conf */ if (!$input_errors) { /* post new options */ - if ($_POST['def_dns_servers'] != "") { $natent['def_dns_servers'] = $_POST['def_dns_servers']; }else{ $natent['def_dns_servers'] = ""; } - if ($_POST['def_dns_ports'] != "") { $natent['def_dns_ports'] = $_POST['def_dns_ports']; }else{ $natent['def_dns_ports'] = ""; } - if ($_POST['def_smtp_servers'] != "") { $natent['def_smtp_servers'] = $_POST['def_smtp_servers']; }else{ $natent['def_smtp_servers'] = ""; } - if ($_POST['def_smtp_ports'] != "") { $natent['def_smtp_ports'] = $_POST['def_smtp_ports']; }else{ $natent['def_smtp_ports'] = ""; } - if ($_POST['def_mail_ports'] != "") { $natent['def_mail_ports'] = $_POST['def_mail_ports']; }else{ $natent['def_mail_ports'] = ""; } - if ($_POST['def_http_servers'] != "") { $natent['def_http_servers'] = $_POST['def_http_servers']; }else{ $natent['def_http_servers'] = ""; } - if ($_POST['def_www_servers'] != "") { $natent['def_www_servers'] = $_POST['def_www_servers']; }else{ $natent['def_www_servers'] = ""; } - if ($_POST['def_http_ports'] != "") { $natent['def_http_ports'] = $_POST['def_http_ports']; }else{ $natent['def_http_ports'] = ""; } - if ($_POST['def_sql_servers'] != "") { $natent['def_sql_servers'] = $_POST['def_sql_servers']; }else{ $natent['def_sql_servers'] = ""; } - if ($_POST['def_oracle_ports'] != "") { $natent['def_oracle_ports'] = $_POST['def_oracle_ports']; }else{ $natent['def_oracle_ports'] = ""; } - if ($_POST['def_mssql_ports'] != "") { $natent['def_mssql_ports'] = $_POST['def_mssql_ports']; }else{ $natent['def_mssql_ports'] = ""; } - if ($_POST['def_telnet_servers'] != "") { $natent['def_telnet_servers'] = $_POST['def_telnet_servers']; }else{ $natent['def_telnet_servers'] = ""; } - if ($_POST['def_telnet_ports'] != "") { $natent['def_telnet_ports'] = $_POST['def_telnet_ports']; }else{ $natent['def_telnet_ports'] = ""; } - if ($_POST['def_snmp_servers'] != "") { $natent['def_snmp_servers'] = $_POST['def_snmp_servers']; }else{ $natent['def_snmp_servers'] = ""; } - if ($_POST['def_snmp_ports'] != "") { $natent['def_snmp_ports'] = $_POST['def_snmp_ports']; }else{ $natent['def_snmp_ports'] = ""; } - if ($_POST['def_ftp_servers'] != "") { $natent['def_ftp_servers'] = $_POST['def_ftp_servers']; }else{ $natent['def_ftp_servers'] = ""; } - if ($_POST['def_ftp_ports'] != "") { $natent['def_ftp_ports'] = $_POST['def_ftp_ports']; }else{ $natent['def_ftp_ports'] = ""; } - if ($_POST['def_ssh_servers'] != "") { $natent['def_ssh_servers'] = $_POST['def_ssh_servers']; }else{ $natent['def_ssh_servers'] = ""; } - if ($_POST['def_ssh_ports'] != "") { $natent['def_ssh_ports'] = $_POST['def_ssh_ports']; }else{ $natent['def_ssh_ports'] = ""; } - if ($_POST['def_pop_servers'] != "") { $natent['def_pop_servers'] = $_POST['def_pop_servers']; }else{ $natent['def_pop_servers'] = ""; } - if ($_POST['def_pop2_ports'] != "") { $natent['def_pop2_ports'] = $_POST['def_pop2_ports']; }else{ $natent['def_pop2_ports'] = ""; } - if ($_POST['def_pop3_ports'] != "") { $natent['def_pop3_ports'] = $_POST['def_pop3_ports']; }else{ $natent['def_pop3_ports'] = ""; } - if ($_POST['def_imap_servers'] != "") { $natent['def_imap_servers'] = $_POST['def_imap_servers']; }else{ $natent['def_imap_servers'] = ""; } - if ($_POST['def_imap_ports'] != "") { $natent['def_imap_ports'] = $_POST['def_imap_ports']; }else{ $natent['def_imap_ports'] = ""; } - if ($_POST['def_sip_proxy_ip'] != "") { $natent['def_sip_proxy_ip'] = $_POST['def_sip_proxy_ip']; }else{ $natent['def_sip_proxy_ip'] = ""; } - if ($_POST['def_sip_proxy_ports'] != "") { $natent['def_sip_proxy_ports'] = $_POST['def_sip_proxy_ports']; }else{ $natent['def_sip_proxy_ports'] = ""; } - if ($_POST['def_sip_servers'] != "") { $natent['def_sip_servers'] = $_POST['def_sip_servers']; }else{ $natent['def_sip_servers'] = ""; } - if ($_POST['def_sip_ports'] != "") { $natent['def_sip_ports'] = $_POST['def_sip_ports']; }else{ $natent['def_sip_ports'] = ""; } - if ($_POST['def_auth_ports'] != "") { $natent['def_auth_ports'] = $_POST['def_auth_ports']; }else{ $natent['def_auth_ports'] = ""; } - if ($_POST['def_finger_ports'] != "") { $natent['def_finger_ports'] = $_POST['def_finger_ports']; }else{ $natent['def_finger_ports'] = ""; } - if ($_POST['def_irc_ports'] != "") { $natent['def_irc_ports'] = $_POST['def_irc_ports']; }else{ $natent['def_irc_ports'] = ""; } - if ($_POST['def_nntp_ports'] != "") { $natent['def_nntp_ports'] = $_POST['def_nntp_ports']; }else{ $natent['def_nntp_ports'] = ""; } - if ($_POST['def_rlogin_ports'] != "") { $natent['def_rlogin_ports'] = $_POST['def_rlogin_ports']; }else{ $natent['def_rlogin_ports'] = ""; } - if ($_POST['def_rsh_ports'] != "") { $natent['def_rsh_ports'] = $_POST['def_rsh_ports']; }else{ $natent['def_rsh_ports'] = ""; } - if ($_POST['def_ssl_ports'] != "") { $natent['def_ssl_ports'] = $_POST['def_ssl_ports']; }else{ $natent['def_ssl_ports'] = ""; } - - - if (isset($id) && $a_nat[$id]) - $a_nat[$id] = $natent; - else { - if (is_numeric($after)) - array_splice($a_nat, $after+1, 0, array($natent)); + foreach ($snort_servers as $key => $server) { + if ($_POST["def_{$key}"]) + $natent["def_{$key}"] = $_POST["def_{$key}"]; else - $a_nat[] = $natent; + unset($natent["def_{$key}"]); } + foreach ($snort_ports as $key => $server) { + if ($_POST["def_{$key}"]) + $natent["def_{$key}"] = $_POST["def_{$key}"]; + else + unset($natent["def_{$key}"]); + } + + $a_nat[$id] = $natent; write_config(); @@ -171,30 +134,23 @@ $pgtitle = "Snort: Interface {$if_friendly} Define Servers"; include_once("head.inc"); ?> - + ' . $pgtitle . '

';} +/* Display Alert message */ +if ($input_errors) + print_input_errors($input_errors); // TODO: add checks +if ($savemsg) + print_info_box($savemsg); ?> - - - -
+ + + + + + +
' . $pgtitle . '

';}
+ + + + $server): + if (strlen($server) > 40) + $server = substr($server, 0, 40) . "..."; + $label = strtoupper($key); + $value = ""; + if (!empty($pconfig["def_{$key}"])) + $value = htmlspecialchars($pconfig["def_{$key}"]); +?> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + $server): + $server = substr($server, 0, 20); + $label = strtoupper($key); + $value = ""; + if (!empty($pconfig["def_{$key}"])) + $value = htmlspecialchars($pconfig["def_{$key}"]); +?> - - + + -
Define Servers
 Note:
- Please save your settings before you click start.
- Please make sure there are no spaces in your - definitions.
Define Servers
Define DNS_SERVERS
- Example: "192.168.1.3/24,192.168.1.4/24". Leave - blank to scan all networks.
Define DNS_PORTS
- Example: Specific ports "25,443" or All ports - betwen "5060:5090 . Default is 53.
Define SMTP_SERVERS
- Example: "192.168.1.3/24,192.168.1.4/24". Leave - blank to scan all networks.
Define SMTP_PORTS
- Example: Specific ports "25,443" or All ports - betwen "5060:5090 . Default is 25.
Define Mail_Ports
- Example: Specific ports "25,443" or All ports - betwen "5060:5090 . Default is 25,143,465,691.
Define HTTP_SERVERS
- Example: "192.168.1.3/24,192.168.1.4/24". Leave - blank to scan all networks.
Define WWW_SERVERS
- Example: "192.168.1.3/24,192.168.1.4/24". Leave - blank to scan all networks.
Define HTTP_PORTS
- Example: Specific ports "25,443" or All ports - betwen "5060:5090 . Default is 80.
Define SQL_SERVERS
- Example: "192.168.1.3/24,192.168.1.4/24". Leave - blank to scan all networks.
Define ORACLE_PORTS
- Example: Specific ports "25,443" or All ports - betwen "5060:5090 . Default is 1521.
Define MSSQL_PORTS
- Example: Specific ports "25,443" or All ports - betwen "5060:5090 . Default is 1433.
Define TELNET_SERVERS
- Example: "192.168.1.3/24,192.168.1.4/24". Leave - blank to scan all networks.
Define TELNET_PORTS
- Example: Specific ports "25,443" or All ports - betwen "5060:5090 . Default is 23.
Define SNMP_SERVERS
- Example: "192.168.1.3/24,192.168.1.4/24". Leave - blank to scan all networks.
Define SNMP_PORTS
- Example: Specific ports "25,443" or All ports - betwen "5060:5090 . Default is 161.
Define FTP_SERVERS
- Example: "192.168.1.3/24,192.168.1.4/24". Leave - blank to scan all networks.
Define FTP_PORTS
- Example: Specific ports "25,443" or All ports - betwen "5060:5090 . Default is 21.
Define SSH_SERVERS
- Example: "192.168.1.3/24,192.168.1.4/24". Leave - blank to scan all networks.
Define SSH_PORTS
- Example: Specific ports "25,443" or All ports - betwen "5060:5090 . Default is the firewall's SSH port.
Define POP_SERVERS
- Example: "192.168.1.3/24,192.168.1.4/24". Leave - blank to scan all networks.
Define POP2_PORTS
- Example: Specific ports "25,443" or All ports - betwen "5060:5090 . Default is 109.
Define POP3_PORTS
- Example: Specific ports "25,443" or All ports - betwen "5060:5090 . Default is 110.
Define IMAP_SERVERS
- Example: "192.168.1.3/24,192.168.1.4/24". Leave - blank to scan all networks.
Define IMAP_PORTS
- Example: Specific ports "25,443" or All ports - betwen "5060:5090 . Default is 143.
Define SIP_PROXY_IP
- Example: "192.168.1.3/24,192.168.1.4/24". Leave - blank to scan all networks.
Define SIP_PROXY_PORTS
- Example: Specific ports "25,443" or All ports - betwen "5060:5090 . Default is 5060:5090,16384:32768.
Define SIP_SERVERS
- Example: "192.168.1.3/24,192.168.1.4/24". Leave - blank to scan all networks.
Define SIP_PORTS
- Example: Specific ports "25,443" or All ports - betwen "5060:5090 . Default is 5060:5090,16384:32768.
Define AUTH_PORTS
- Example: Specific ports "25,443" or All ports - betwen "5060:5090 . Default is 113.
Define FINGER_PORTS
- Example: Specific ports "25,443" or All ports - betwen "5060:5090 . Default is 79.
Define IRC_PORTS
- Example: Specific ports "25,443" or All ports - betwen "5060:5090 . Default is 6665,6666,6667,6668,6669,7000.
Define NNTP_PORTS
- Example: Specific ports "25,443" or All ports - betwen "5060:5090 . Default is 119.
Define RLOGIN_PORTS
- Example: Specific ports "25,443" or All ports - betwen "5060:5090 . Default is 513.
Define RSH_PORTS
- Example: Specific ports "25,443" or All ports - betwen "5060:5090 . Default is 514.
Define SSL_PORTS
- Example: Specific ports "25,443" or All ports - betwen "5060:5090 . Default is 25,443,465,636,993,995.
  - - + Define +
+ Default value: ""
Leave + blank for default value.
Define Ports
 Note: -
- Please save your settings before you click start. 		Define
+ Default value: ""
Leave + blank for default value. +
+ +
  + + +
+ + -- cgit v1.2.3