From a30da99a24575ba9554ace7bdf1c8e6a0119b4d0 Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Tue, 18 Jun 2013 18:35:32 -0400 Subject: Add Host Attribute Table support to Preprocessors tab. --- config/snort/snort_edit_hat_data.php | 126 ++++++++++++ config/snort/snort_preprocessors.php | 375 ++++++++++++++++++++++++----------- 2 files changed, 390 insertions(+), 111 deletions(-) create mode 100644 config/snort/snort_edit_hat_data.php (limited to 'config/snort') diff --git a/config/snort/snort_edit_hat_data.php b/config/snort/snort_edit_hat_data.php new file mode 100644 index 00000000..f0562046 --- /dev/null +++ b/config/snort/snort_edit_hat_data.php @@ -0,0 +1,126 @@ +. + * All rights reserved. + * + * modified for the pfsense snort package + * Copyright (C) 2009-2010 Robert Zelaya. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * 1. Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +require_once("guiconfig.inc"); +require_once("/usr/local/pkg/snort/snort.inc"); + +global $g, $rebuild_rules; + +$snortdir = SNORTDIR; + +if (!is_array($config['installedpackages']['snortglobal']['rule'])) { + $config['installedpackages']['snortglobal']['rule'] = array(); +} +$a_nat = &$config['installedpackages']['snortglobal']['rule']; + +$id = $_GET['id']; +if (isset($_POST['id'])) + $id = $_POST['id']; +if (is_null($id)) { + header("Location: /snort/snort_interfaces.php"); + exit; +} + +if (!empty($a_nat[$id]['host_attribute_data'])) + $pconfig['host_attribute_data'] = base64_decode($a_nat[$id]['host_attribute_data']); +else + $pconfig['host_attribute_data'] = ""; + +if ($_POST['clear']) { + unset($a_nat[$id]['host_attribute_data']); + write_config(); + $rebuild_rules = false; + snort_generate_conf($a_nat[$id]); + header("Location: /snort/snort_edit_hat_data.php?id={$id}"); + exit; +} + +if ($_POST['host_attribute_data']) { + $a_nat[$id]['host_attribute_data'] = base64_encode($_POST['host_attribute_data']); + write_config(); + $rebuild_rules = false; + snort_generate_conf($a_nat[$id]); + header("Location: /snort/snort_preprocessors.php?id={$id}"); + exit; +} + + +$if_friendly = snort_get_friendly_interface($a_nat[$id]['interface']); +$pgtitle = "Services: Snort: {$if_friendly} Host Attribute Table Data"; +include_once("head.inc"); + +?> + + + +' . $pgtitle . '

';} +if ($input_errors) print_input_errors($input_errors); +if ($savemsg) + print_info_box($savemsg); +?> + + + + diff --git a/config/snort/snort_preprocessors.php b/config/snort/snort_preprocessors.php index 12981398..8a741d4e 100755 --- a/config/snort/snort_preprocessors.php +++ b/config/snort/snort_preprocessors.php @@ -61,6 +61,11 @@ if (isset($id) && $a_nat[$id]) { /* Get current values from config for page form fields */ $pconfig['perform_stat'] = $a_nat[$id]['perform_stat']; + $pconfig['host_attribute_table'] = $a_nat[$id]['host_attribute_table']; + $pconfig['host_attribute_data'] = $a_nat[$id]['host_attribute_data']; + $pconfig['max_attribute_hosts'] = $a_nat[$id]['max_attribute_hosts']; + $pconfig['max_attribute_services_per_host'] = $a_nat[$id]['max_attribute_services_per_host']; + $pconfig['max_paf'] = $a_nat[$id]['max_paf']; $pconfig['server_flow_depth'] = $a_nat[$id]['server_flow_depth']; $pconfig['http_server_profile'] = $a_nat[$id]['http_server_profile']; $pconfig['client_flow_depth'] = $a_nat[$id]['client_flow_depth']; @@ -124,6 +129,12 @@ if (isset($id) && $a_nat[$id]) { /* enable the most common required preprocessors by default */ /* and set reasonable values for any options. */ /************************************************************/ + if (empty($pconfig['max_attribute_hosts'])) + $pconfig['max_attribute_hosts'] = '10000'; + if (empty($pconfig['max_attribute_services_per_host'])) + $pconfig['max_attribute_services_per_host'] = '10'; + if (empty($pconfig['max_paf'])) + $pconfig['max_paf'] = '16000'; if (empty($pconfig['ftp_preprocessor'])) $pconfig['ftp_preprocessor'] = 'on'; if (empty($pconfig['smtp_preprocessor'])) @@ -200,6 +211,10 @@ if ($_POST['ResetAll']) { /* Reset all the preprocessor settings to defaults */ $pconfig['perform_stat'] = "off"; + $pconfig['host_attribute_table'] = "off"; + $pconfig['max_attribute_hosts'] = '10000'; + $pconfig['max_attribute_services_per_host'] = '10'; + $pconfig['max_paf'] = '16000'; $pconfig['server_flow_depth'] = "300"; $pconfig['http_server_profile'] = "all"; $pconfig['client_flow_depth'] = "300"; @@ -266,6 +281,9 @@ elseif ($_POST['Submit']) { /* if no errors write to conf */ if (!$input_errors) { /* post new options */ + if ($_POST['max_attribute_hosts'] != "") { $natent['max_attribute_hosts'] = $_POST['max_attribute_hosts']; }else{ $natent['max_attribute_hosts'] = "10000"; } + if ($_POST['max_attribute_services_per_host'] != "") { $natent['max_attribute_services_per_host'] = $_POST['max_attribute_services_per_host']; }else{ $natent['max_attribute_services_per_host'] = "10"; } + if ($_POST['max_paf'] != "") { $natent['max_paf'] = $_POST['max_paf']; }else{ $natent['max_paf'] = "16000"; } if ($_POST['server_flow_depth'] != "") { $natent['server_flow_depth'] = $_POST['server_flow_depth']; }else{ $natent['server_flow_depth'] = "300"; } if ($_POST['http_server_profile'] != "") { $natent['http_server_profile'] = $_POST['http_server_profile']; }else{ $natent['http_server_profile'] = "all"; } if ($_POST['client_flow_depth'] != "") { $natent['client_flow_depth'] = $_POST['client_flow_depth']; }else{ $natent['client_flow_depth'] = "300"; } @@ -295,6 +313,7 @@ elseif ($_POST['Submit']) { unset($natent['pscan_ignore_scanners']); $natent['perform_stat'] = $_POST['perform_stat'] ? 'on' : 'off'; + $natent['host_attribute_table'] = $_POST['host_attribute_table'] ? 'on' : 'off'; $natent['http_inspect'] = $_POST['http_inspect'] ? 'on' : 'off'; $natent['http_inspect_enable_xff'] = $_POST['http_inspect_enable_xff'] ? 'on' : 'off'; $natent['http_inspect_log_uri'] = $_POST['http_inspect_log_uri'] ? 'on' : 'off'; @@ -342,14 +361,22 @@ elseif ($_POST['Submit']) { write_config(); /* Set flag to rebuild rules for this interface */ - $rebuild_rules = "on"; + $rebuild_rules = true; /*************************************************/ - /* Update the snort conf file and rebuild the */ + /* Update the snort.conf file and rebuild the */ /* rules for this interface. */ /*************************************************/ snort_generate_conf($natent); - $rebuild_rules = "off"; + $rebuild_rules = false; + + /*******************************************************/ + /* Signal Snort to reload Host Attribute Table if one */ + /* is configured and saved. */ + /*******************************************************/ + if ($natent['host_attribute_table'] == "on" && + !empty($natent['host_attribute_data'])) + snort_reload_config($natent, "SIGURG"); /* after click go to this page */ header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); @@ -361,6 +388,47 @@ elseif ($_POST['Submit']) { exit; } } +elseif ($_POST['btn_import']) { + if (is_uploaded_file($_FILES['host_attribute_file']['tmp_name'])) { + $data = file_get_contents($_FILES['host_attribute_file']['tmp_name']); + if ($data === false) + $input_errors[] = gettext("Error uploading file {$_FILES['host_attribute_file']}!"); + else { + if (isset($id) && $a_nat[$id]) { + $a_nat[$id]['host_attribute_table'] = "on"; + $a_nat[$id]['host_attribute_data'] = base64_encode($data); + $pconfig['host_attribute_data'] = $a_nat[$id]['host_attribute_data']; + $a_nat[$id]['max_attribute_hosts'] = $pconfig['max_attribute_hosts']; + $a_nat[$id]['max_attribute_services_per_host'] = $pconfig['max_attribute_services_per_host']; + write_config(); + } + header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); + header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . ' GMT' ); + header( 'Cache-Control: no-store, no-cache, must-revalidate' ); + header( 'Cache-Control: post-check=0, pre-check=0', false ); + header( 'Pragma: no-cache' ); + header("Location: snort_preprocessors.php?id=$id"); + exit; + } + } + else + $input_errors[] = gettext("No filename specified for import!"); +} +elseif ($_POST['btn_edit_hat']) { + if (isset($id) && $a_nat[$id]) { + $a_nat[$id]['host_attribute_table'] = "on"; + $a_nat[$id]['max_attribute_hosts'] = $pconfig['max_attribute_hosts']; + $a_nat[$id]['max_attribute_services_per_host'] = $pconfig['max_attribute_services_per_host']; + write_config(); + header("Location: snort_edit_hat_data.php?id=$id"); + exit; + } +} + +/* If Host Attribute Table option is enabled, but */ +/* no Host Attribute data exists, flag an error. */ +if ($pconfig['host_attribute_table'] == 'on' && empty($pconfig['host_attribute_data'])) + $input_errors[] = gettext("The Host Attribute Table option is enabled, but no Host Attribute data has been loaded. Data may be entered manually or imported from a suitable file."); $if_friendly = snort_get_friendly_interface($pconfig['interface']); $pgtitle = "Snort: Interface {$if_friendly}: Preprocessors and Flow"; @@ -480,13 +548,106 @@ include_once("head.inc"); + + + + + + > + . + + + +
+ "on") echo "disabled"; ?>> + "on") echo "disabled"; ?>>
+

+ + + + + +

+ " + class="formbtn" + "on") echo "disabled"; ?>> +
" . gettext("Warning: ") . "" . + gettext("No Host Attribute Data loaded - import from a file or enter it manually."); + } ?> + + + + + + + + +

"on") echo "disabled"; ?>> + " . gettext("32") . "" . gettext(" and Max is ") . "" . + gettext("524288") . ""; ?>.

+ " . gettext("10000") . ""; ?>.
+ + + + + + + + + +

"on") echo "disabled"; ?>> + " . gettext("1") . "" . gettext(" and Max is ") . "" . + gettext("65535") . ""; ?>.

+ " . gettext("10") . ". " . gettext("A value of 0 disables Protocol Aware Flushing."); ?>.
+ + + + + + + + + + + + +

+ " . gettext("0") . "" . gettext(" (off) and Max is ") . "" . + gettext("63780") . ""; ?>.

+ " . gettext("16000") . ". " . gettext("A value of 0 disables Protocol Aware Flushing."); ?>.
+ + - > @@ -578,7 +739,7 @@ include_once("head.inc"); -

-1 " . "to 1460 (-1 disables HTTP " . @@ -586,17 +747,17 @@ include_once("head.inc");

+ "performance may increase by adjusting this value."); ?>
300"); ?>
- - onClick="enable_change(false)"> . @@ -606,7 +767,7 @@ include_once("head.inc"); - onClick="enable_change(false)"> 8192."; ?>
+ "8192."; ?>
@@ -654,7 +815,7 @@ include_once("head.inc"); 0" . gettext(" (unlimited)."); ?>
+ "0" . gettext(" (unlimited)."); ?>
@@ -669,7 +830,7 @@ include_once("head.inc"); 0" . gettext(" (check is disabled)."); ?>
+ "0" . gettext(" (check is disabled)."); ?>
@@ -694,13 +855,13 @@ include_once("head.inc"); - " . gettext("BSD") . ""; ?>.
-
+
@@ -708,8 +869,8 @@ include_once("head.inc"); - "> + > " . gettext("Checked") . ""; ?>. @@ -750,7 +911,7 @@ include_once("head.inc"); > + > " . gettext("Not Checked") . ""; ?>.
" . gettext("Warning: ") . "" . @@ -761,7 +922,7 @@ include_once("head.inc"); -

1024, Maximum is 1073741824 " . @@ -770,7 +931,7 @@ include_once("head.inc");

1048576"); ?>.
+ "memory. Default value is 1048576"); ?>.
@@ -778,7 +939,7 @@ include_once("head.inc"); -

2, Maximum is 1073741824 " . @@ -787,7 +948,7 @@ include_once("head.inc");

2621"); ?>.
+ "in memory. Default value is 2621"); ?>.
@@ -795,7 +956,7 @@ include_once("head.inc"); -

32768, Maximum is 1073741824 " . @@ -803,7 +964,7 @@ include_once("head.inc");

8388608 (8 MB)"); ?>.
+ "in RAM. Default value is 8388608 (8 MB)"); ?>.
@@ -811,7 +972,7 @@ include_once("head.inc"); -

0" . gettext(" (unlimited), and the maximum is ") . @@ -819,7 +980,7 @@ include_once("head.inc");

0" . gettext(" (unlimited)."); ?>
+ "0" . gettext(" (unlimited)."); ?>
@@ -827,7 +988,7 @@ include_once("head.inc"); -

1" . gettext(" and the maximum is ") . @@ -835,7 +996,7 @@ include_once("head.inc");

30" . gettext(" seconds."); ?>
+ "30" . gettext(" seconds."); ?>
@@ -843,7 +1004,7 @@ include_once("head.inc"); -

1" . gettext(" and the maximum is ") . @@ -851,7 +1012,7 @@ include_once("head.inc");

30" . gettext(" seconds."); ?>
+ "30" . gettext(" seconds."); ?>
@@ -859,7 +1020,7 @@ include_once("head.inc"); -

1" . gettext(" and the maximum is ") . @@ -867,33 +1028,32 @@ include_once("head.inc");

30" . gettext(" seconds."); ?>
+ "30" . gettext(" seconds."); ?>
- + - - " . gettext("BSD") . ""; ?>.
-
+
-
- - + > - - - - - - + - - + - - + - - + - - + - - + - - + - - + - - + - + - + - + - + - - - - - - + + + + + +

10,000,000" . gettext(" bytes. (10 MB)"); ?> + "10,000,000" . gettext(" bytes. (10 MB)"); ?>
	- " . gettext("\$HOME_NET") . ""; ?>. @@ -1006,97 +1166,79 @@ include_once("head.inc");
-		> " . gettext("Checked") . ""; ?>.
-		> " . gettext("Checked") . ""; ?>.
-		> " . gettext("Checked") . ""; ?>.
-		> " . gettext("Checked") . ""; ?>.
-		> " . gettext("Checked") . ""; ?>.
-		> " . gettext("Checked") . ""; ?>.
-		> " . gettext("Checked") . ""; ?>.
-		>
-		> " . gettext("Checked") . ""; ?>.
		- > " . gettext("Checked") . ""; ?>.
		- > - +

		- > " . - gettext("If your network does not contain Modbus-enabled devices, you should leave this preprocessor disabled."); ?> + "" . gettext("Note: ") . "" . + gettext("If your network does not contain Modbus-enabled devices, you can leave this preprocessor disabled."); ?>
		- > " . - gettext("If your network does not contain DNP3-enabled devices, you should leave this preprocessor disabled."); ?> + "" . gettext("Note: ") . "" . + gettext("If your network does not contain DNP3-enabled devices, you can leave this preprocessor disabled."); ?>
	- "/> - - />
	- -
+ "> + + >
	+ +

@@ -1201,6 +1345,15 @@ function frag3_enable_change() { document.iform.frag3_timeout.disabled=endis; } +function host_attribute_table_enable_change() { + var endis = !(document.iform.host_attribute_table.checked); + document.iform.host_attribute_file.disabled=endis; + document.iform.btn_import.disabled=endis; + document.iform.btn_edit_hat.disabled=endis; + document.iform.max_attribute_hosts.disabled=endis; + document.iform.max_attribute_services_per_host.disabled=endis; +} + function http_inspect_enable_change() { var endis = !(document.iform.http_inspect.checked); document.iform.http_inspect_enable_xff.disabled=endis; -- cgit v1.2.3