From 595c831d2768547d49e6daf147889c6aee15f9a4 Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Mon, 18 Nov 2013 18:59:41 -0500 Subject: Snort 2.9.5.5 pkg v3.0.0 update --- config/snort/snort_httpinspect_engine.php | 751 ++++++++++++++++++++++++++++++ 1 file changed, 751 insertions(+) create mode 100644 config/snort/snort_httpinspect_engine.php (limited to 'config/snort/snort_httpinspect_engine.php') diff --git a/config/snort/snort_httpinspect_engine.php b/config/snort/snort_httpinspect_engine.php new file mode 100644 index 00000000..58488f2d --- /dev/null +++ b/config/snort/snort_httpinspect_engine.php @@ -0,0 +1,751 @@ +. + * All rights reserved. + * + * modified for the pfsense snort package + * Copyright (C) 2009-2010 Robert Zelaya. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * 1. Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +require_once("guiconfig.inc"); +require_once("/usr/local/pkg/snort/snort.inc"); + +global $g; + +$snortdir = SNORTDIR; + +$id = $_GET['id']; +$eng_id = $_GET['eng_id']; +if (isset($_POST['id'])) + $id = $_POST['id']; +if (isset($_POST['eng_id'])) + $eng_id = $_POST['eng_id']; + +if (is_null($id)) { + // Clear and close out any session variable we created + session_start(); + unset($_SESSION['http_inspect_import']); + session_write_close(); + header("Location: /snort/snort_interfaces.php"); + exit; +} + +if (!is_array($config['installedpackages']['snortglobal']['rule'])) + $config['installedpackages']['snortglobal']['rule'] = array(); +if (!is_array($config['installedpackages']['snortglobal']['rule'][$id]['http_inspect_engine']['item'])) + $config['installedpackages']['snortglobal']['rule'][$id]['http_inspect_engine']['item'] = array(); +$a_nat = &$config['installedpackages']['snortglobal']['rule'][$id]['http_inspect_engine']['item']; + +$pconfig = array(); +if (empty($a_nat[$eng_id])) { + $def = array( "name" => "engine_{$eng_id}", "bind_to" => "", "server_profile" => "all", "enable_xff" => "off", + "log_uri" => "off", "log_hostname" => "off", "server_flow_depth" => 65535, "enable_cookie" => "on", + "client_flow_depth" => 1460, "extended_response_inspection" => "on", "no_alerts" => "off", + "unlimited_decompress" => "on", "inspect_gzip" => "on", "normalize_cookies" =>"on", "normalize_headers" => "on", + "normalize_utf" => "on", "normalize_javascript" => "on", "allow_proxy_use" => "off", "inspect_uri_only" => "off", + "max_javascript_whitespaces" => 200, "post_depth" => -1, "max_headers" => 0, "max_spaces" => 0, + "max_header_length" => 0, "ports" => "default" ); + // See if this is initial entry and set to "default" if true + if ($eng_id < 1) { + $def['name'] = "default"; + $def['bind_to'] = "all"; + } + $pconfig = $def; +} +else { + $pconfig = $a_nat[$eng_id]; + + // Check for any empty values and set sensible defaults + if (empty($pconfig['ports'])) + $pconfig['ports'] = "default"; + if (empty($pconfig['server_profile'])) + $pconfig['server_profile'] = "all"; + if (empty($pconfig['enable_xff'])) + $pconfig['enable_xff'] = "off"; + if (empty($pconfig['log_uri'])) + $pconfig['log_uri'] = "off"; + if (empty($pconfig['log_hostname'])) + $pconfig['log_hostname'] = "off"; + if (empty($pconfig['server_flow_depth']) && $pconfig['server_flow_depth'] <> 0) + $pconfig['server_flow_depth'] = 65535; + if (empty($pconfig['enable_cookie'])) + $pconfig['enable_cookie'] = "on"; + if (empty($pconfig['client_flow_depth']) && $pconfig['client_flow_depth'] <> 0) + $pconfig['client_flow_depth'] = 1460; + if (empty($pconfig['extended_response_inspection'])) + $pconfig['extended_response_inspection'] = "on"; + if (empty($pconfig['no_alerts'])) + $pconfig['no_alerts'] = "off"; + if (empty($pconfig['unlimited_decompress'])) + $pconfig['unlimited_decompress'] = "on"; + if (empty($pconfig['inspect_gzip'])) + $pconfig['inspect_gzip'] = "on"; + if (empty($pconfig['normalize_cookies'])) + $pconfig['normalize_cookies'] = "on"; + if (empty($pconfig['normalize_headers'])) + $pconfig['normalize_headers'] = "on"; + if (empty($pconfig['normalize_utf'])) + $pconfig['normalize_utf'] = "on"; + if (empty($pconfig['normalize_javascript'])) + $pconfig['normalize_javascript'] = "on"; + if (empty($pconfig['allow_proxy_use'])) + $pconfig['allow_proxy_use'] = "off"; + if (empty($pconfig['inspect_uri_only'])) + $pconfig['inspect_uri_only'] = "off"; + if (empty($pconfig['max_javascript_whitespaces']) && $pconfig['max_javascript_whitespaces'] <> 0) + $pconfig['max_javascript_whitespaces'] = 200; + if (empty($pconfig['post_depth']) && $pconfig['post_depth'] <> 0) + $pconfig['post_depth'] = -1; + if (empty($pconfig['max_headers'])) + $pconfig['max_headers'] = 0; + if (empty($pconfig['max_spaces'])) + $pconfig['max_spaces'] = 0; + if (empty($pconfig['max_header_length'])) + $pconfig['max_header_length'] = 0; +} + +if ($_POST['Cancel']) { + // Clear and close out any session variable we created + session_start(); + unset($_SESSION['http_inspect_import']); + session_write_close(); + header("Location: /snort/snort_preprocessors.php?id={$id}#httpinspect_row"); + exit; +} + +// Check for returned "selected alias" if action is import +if ($_GET['act'] == "import") { + session_start(); + if (($_GET['varname'] == "bind_to" || $_GET['varname'] == "ports") + && !empty($_GET['varvalue'])) { + $pconfig[$_GET['varname']] = $_GET['varvalue']; + $_SESSION['http_inspect_import'] = array(); + + $_SESSION['http_inspect_import'][$_GET['varname']] = $_GET['varvalue']; + if (isset($_SESSION['http_inspect_import']['bind_to'])) + $pconfig['bind_to'] = $_SESSION['http_inspect_import']['bind_to']; + if (isset($_SESSION['http_inspect_import']['ports'])) + $pconfig['ports'] = $_SESSION['http_inspect_import']['ports']; + } + // If "varvalue" is empty, user likely hit CANCEL in Select Dialog, + // so restore any saved values. + elseif (empty($_GET['varvalue'])) { + if (isset($_SESSION['http_inspect_import']['bind_to'])) + $pconfig['bind_to'] = $_SESSION['http_inspect_import']['bind_to']; + if (isset($_SESSION['http_inspect_import']['ports'])) + $pconfig['ports'] = $_SESSION['http_inspect_import']['ports']; + } + else { + unset($_SESSION['http_inspect_import']); + session_write_close(); + } +} + +if ($_POST['Submit']) { + + // Clear and close out any session variable we created + session_start(); + unset($_SESSION['http_inspect_import']); + session_write_close(); + + // Grab all the POST values and save in new temp array + $engine = array(); + if ($_POST['httpinspect_name']) { $engine['name'] = trim($_POST['httpinspect_name']); } else { $engine['name'] = "default"; } + if ($_POST['httpinspect_bind_to']) { + if (is_alias($_POST['httpinspect_bind_to'])) + $engine['bind_to'] = $_POST['httpinspect_bind_to']; + elseif (strtolower(trim($_POST['httpinspect_bind_to'])) == "all") + $engine['bind_to'] = "all"; + else + $input_errors[] = gettext("You must provide a valid Alias or the reserved keyword 'all' for the 'Bind-To IP Address' value."); + } + else { + $input_errors[] = gettext("The 'Bind-To IP Address' value cannot be blank. Provide a valid Alias or the reserved keyword 'all'."); + } + if ($_POST['httpinspect_ports']) { $engine['ports'] = trim($_POST['httpinspect_ports']); } else { $engine['ports'] = "default"; } + + // Validate the text input fields before saving + if (!empty($_POST['httpinspect_server_flow_depth']) || $_POST['httpinspect_server_flow_depth'] == 0) { + $engine['server_flow_depth'] = $_POST['httpinspect_server_flow_depth']; + if (!is_numeric($_POST['httpinspect_server_flow_depth']) || $_POST['httpinspect_server_flow_depth'] < -1 || $_POST['httpinspect_server_flow_depth'] > 65535) + $input_errors[] = gettext("The value for Server_Flow_Depth must be numeric and between -1 and 65535."); + } + else + $engine['server_flow_depth'] = 65535; + + if (!empty($_POST['httpinspect_client_flow_depth']) || $_POST['httpinspect_client_flow_depth'] == 0) { + $engine['client_flow_depth'] = $_POST['httpinspect_client_flow_depth']; + if (!is_numeric($_POST['httpinspect_client_flow_depth']) || $_POST['httpinspect_client_flow_depth'] < -1 || $_POST['httpinspect_client_flow_depth'] > 1460) + $input_errors[] = gettext("The value for Client_Flow_Depth must be between -1 and 1460."); + } + else + $engine['client_flow_depth'] = 1460; + + if (!empty($_POST['httpinspect_max_javascript_whitespaces']) || $_POST['httpinspect_max_javascript_whitespaces'] == 0) { + $engine['max_javascript_whitespaces'] = $_POST['httpinspect_max_javascript_whitespaces']; + if (!is_numeric($_POST['httpinspect_max_javascript_whitespaces']) || $_POST['httpinspect_max_javascript_whitespaces'] < 0 || $_POST['httpinspect_max_javascript_whitespaces'] > 65535) + $input_errors[] = gettext("The value for Max_Javascript_Whitespaces must be between 0 and 65535."); + } + else + $engine['max_javascript_whitespaces'] = 200; + + if (!empty($_POST['httpinspect_post_depth']) || $_POST['httpinspect_post_depth'] == 0) { + $engine['post_depth'] = $_POST['httpinspect_post_depth']; + if (!is_numeric($_POST['httpinspect_post_depth']) || $_POST['httpinspect_post_depth'] < -1 || $_POST['httpinspect_post_depth'] > 65495) + $input_errors[] = gettext("The value for Post_Depth must be between -1 and 65495."); + } + else + $engine['post_depth'] = -1; + + if (!empty($_POST['httpinspect_max_headers']) || $_POST['httpinspect_max_headers'] == 0) { + $engine['max_headers'] = $_POST['httpinspect_max_headers']; + if (!is_numeric($_POST['httpinspect_max_headers']) || $_POST['httpinspect_max_headers'] < 0 || $_POST['httpinspect_max_headers'] > 65535) + $input_errors[] = gettext("The value for Max_Headers must be between 0 and 65535."); + } + else + $engine['max_headers'] = 0; + + if (!empty($_POST['httpinspect_max_spaces']) || $_POST['httpinspect_max_spaces'] == 0) { + $engine['max_spaces'] = $_POST['httpinspect_max_spaces']; + if (!is_numeric($_POST['httpinspect_max_spaces']) || $_POST['httpinspect_max_spaces'] < 0 || $_POST['httpinspect_max_spaces'] > 65535) + $input_errors[] = gettext("The value for Max_Spaces must be between 0 and 65535."); + } + else + $engine['max_spaces'] = 0; + + if (!empty($_POST['httpinspect_max_header_length']) || $_POST['httpinspect_max_header_length'] == 0) { + $engine['max_header_length'] = $_POST['httpinspect_max_header_length']; + if (!is_numeric($_POST['httpinspect_max_header_length']) || $_POST['httpinspect_max_header_length'] < 0 || $_POST['httpinspect_max_header_length'] > 65535) + $input_errors[] = gettext("The value for Max_Header_Length must be between 0 and 65535."); + } + else + $engine['max_header_length'] = 0; + + if ($_POST['httpinspect_server_profile']) { $engine['server_profile'] = $_POST['httpinspect_server_profile']; } else { $engine['server_profile'] = "all"; } + + $engine['no_alerts'] = $_POST['httpinspect_no_alerts'] ? 'on' : 'off'; + $engine['enable_xff'] = $_POST['httpinspect_enable_xff'] ? 'on' : 'off'; + $engine['log_uri'] = $_POST['httpinspect_log_uri'] ? 'on' : 'off'; + $engine['log_hostname'] = $_POST['httpinspect_log_hostname'] ? 'on' : 'off'; + $engine['extended_response_inspection'] = $_POST['httpinspect_extended_response_inspection'] ? 'on' : 'off'; + $engine['enable_cookie'] = $_POST['httpinspect_enable_cookie'] ? 'on' : 'off'; + $engine['unlimited_decompress'] = $_POST['httpinspect_unlimited_decompress'] ? 'on' : 'off'; + $engine['inspect_gzip'] = $_POST['httpinspect_inspect_gzip'] ? 'on' : 'off'; + $engine['normalize_cookies'] = $_POST['httpinspect_normalize_cookies'] ? 'on' : 'off'; + $engine['normalize_headers'] = $_POST['httpinspect_normalize_headers'] ? 'on' : 'off'; + $engine['normalize_utf'] = $_POST['httpinspect_normalize_utf'] ? 'on' : 'off'; + $engine['normalize_javascript'] = $_POST['httpinspect_normalize_javascript'] ? 'on' : 'off'; + $engine['allow_proxy_use'] = $_POST['httpinspect_allow_proxy_use'] ? 'on' : 'off'; + $engine['inspect_uri_only'] = $_POST['httpinspect_inspect_uri_only'] ? 'on' : 'off'; + + // Can only have one "all" Bind_To address + if ($engine['bind_to'] == "all" && $engine['name'] <> "default") { + $input_errors[] = gettext("Only one default http_inspect Engine can be bound to all addresses."); + $pconfig = $engine; + } + + // if no errors, write new entry to conf + if (!$input_errors) { + if (isset($eng_id) && $a_nat[$eng_id]) { + $a_nat[$eng_id] = $engine; + } + else + $a_nat[] = $engine; + + // Reorder the engine array to ensure the + // 'bind_to=all' entry is at the bottom + // if it contains more than one entry. + if (count($a_nat) > 1) { + $i = -1; + foreach ($a_nat as $f => $v) { + if ($v['bind_to'] == "all") { + $i = $f; + break; + } + } + /* Only relocate the entry if we */ + /* found it, and it's not already */ + /* at the end. */ + if ($i > -1 && ($i < (count($a_nat) - 1))) { + $tmp = $a_nat[$i]; + unset($a_nat[$i]); + $a_nat[] = $tmp; + } + } + + // Now write the new engine array to conf + write_config(); + + header("Location: /snort/snort_preprocessors.php?id={$id}#httpinspect_row"); + exit; + } +} + +$if_friendly = snort_get_friendly_interface($config['installedpackages']['snortglobal']['rule'][$id]['interface']); +$pgtitle = gettext("Snort: {$if_friendly} - HTTP_Inspect Preprocessor Engine"); +include_once("head.inc"); + +?> + + + + + +
+ + +
+ + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ >  + "default") + echo gettext("Name or description for this engine. (Max 25 characters)"); + else + echo "" . gettext("The name for the 'default' engine is read-only.") . "";?>
+ " . gettext("default") . ""; ?>.
+
+ "default") : ?> + + + + + + + + +
  + "/>

+ " . gettext("Supplied value must be a pre-configured Alias or the keyword 'all'.");?> + +   + " . gettext("IP List for the default engine is read-only and must be 'all'.") . "";?>
+
+ +
+ + + + + + + + +
+ "/>
" . gettext("'default'. ") . "";?> + " . gettext("VARIABLES") . "" . + gettext(" tab. Specific ports for this server can be specified here using a pre-defined Alias.");?>

+ " . gettext("Supplied value must be a pre-configured Alias or the keyword 'default'.");?> +
+   " . gettext("All") . "";?>
+
+
> + + .
> + + .

+ " . + gettext("This prevents proxy alerts for this server. The global option Proxy_Alert must also be " . + "enabled, otherwise this setting does nothing.");?> +
> + + .
> + + .
> + + .
> + + .
> + + .

+ " . + gettext("If this option is used without any uricontent rules, then no inspection will take place. " . + "The URI is only inspected with uricontent rules, and if there are none available, then there is nothing to inspect.");?> +
> + + .
> + + .
+ + + + + +
+ " . gettext("1") . "" . gettext(" and maximum is ") . + "" . gettext("65535") . "" . gettext(" (") . "" . gettext("0") . + "" . gettext(" disables this alert). "). gettext("The default value is ") . + "" . gettext("200") . "."?>
+
> + + .
> + + .
> + + .
> + + .
> + + .
+  " . gettext(" to ") . "" . gettext("65535") . " " . gettext("(") . "" . + gettext("-1") . "" . gettext(" disables HTTP inspect, ") . "" . gettext("0") . "" . + gettext(" enables all HTTP inspect).");?>

+ " . gettext("65535") . ".";?> +
+  " . + gettext(" to ") . "" . gettext("1460") . "" . gettext(" (") . "" . gettext("-1") . + "" . gettext(" disables HTTP inspect, ") . "" . gettext("0") . "" . + gettext(" enables all HTTP inspect).");?>

+ + " . gettext("1460") . ".";?> +
+  " . + gettext(" to ") . "" . gettext("65495") . "" . gettext(" (") . "" . gettext("-1") . + "" . gettext(" ignores all post data, ") . "" . gettext("0") . "" . + gettext(" inspects all post data).");?>

+ " . gettext("-1") . ".";?> +
+  " . + gettext(" to ") . "" . gettext("1024") . "" . gettext(" (") . "" . gettext("0") . + "" . gettext(" disables the alert).");?>

+ " . gettext("0") . ".";?> +
+  " . + gettext(" to ") . "" . gettext("65535") . "" . gettext(" (") . "" . gettext("0") . + "" . gettext(" disables the alert).");?>

+ " . gettext("0") . ".";?> +
+  " . + gettext(" to ") . "" . gettext("65535") . "" . gettext(" (") . "" . gettext("0") . + "" . gettext(" disables the alert).");?>

+ " . gettext("0") . ".";?> +
  + "> +      + ">
+
+
+
+ + + + + + + + + -- cgit v1.2.3