From a368d93cd9d13cef90fdaf505130106b151860ca Mon Sep 17 00:00:00 2001
From: Ermal <eri@pfsense.org>
Date: Sat, 14 Jul 2012 21:17:51 +0000
Subject: Use ports from the configuration that can be overriden than hardcoded
 ones

---
 config/snort/snort.inc               | 73 +++++++++++++++++++-----------------
 config/snort/snort_preprocessors.php | 12 ------
 2 files changed, 39 insertions(+), 46 deletions(-)

(limited to 'config/snort')

diff --git a/config/snort/snort.inc b/config/snort/snort.inc
index f6181819..9fa3beab 100644
--- a/config/snort/snort.inc
+++ b/config/snort/snort.inc
@@ -1048,6 +1048,29 @@ function snort_generate_conf($snortcfg) {
 	if(!empty($snortcfg['performance']))
 		$snort_performance = $snortcfg['performance'];
 
+	/* if user has defined a custom ssh port, use it */
+	if(is_array($config['system']['ssh']) && isset($config['system']['ssh']['port']))
+		$ssh_port = $config['system']['ssh']['port'];
+	else
+		$ssh_port = "22";
+	$ports = array(
+		"dns_ports" => "53", "smtp_ports" => "25", "mail_ports" => "25,143,465,691",
+		"http_ports" => "80", "oracle_ports" => "1521", "mssql_ports" => "1433",
+		"telnet_ports" => "23","snmp_ports" => "161", "ftp_ports" => "21",
+		"ssh_ports" => $ssh_port, "pop2_ports" => "109", "pop3_ports" => "110", 
+		"imap_ports" => "143", "sip_proxy_ports" => "5060:5090,16384:32768",
+		"sip_ports" => "5060:5090,16384:32768", "auth_ports" => "113", "finger_ports" => "79", 
+		"irc_ports" => "6665,6666,6667,6668,6669,7000", "smb_ports" => "139,445",
+		"nntp_ports" => "119", "rlogin_ports" => "513", "rsh_ports" => "514",
+		"ssl_ports" => "443,465,563,636,989,990,992,993,994,995",
+		"file_data_ports" => "\$HTTP_PORTS,110,143", "shellcode_ports" => "!80", 
+		"sun_rpc_ports" => "111,32770,32771,32772,32773,32774,32775,32776,32777,32778,32779",
+		"DCERPC_NCACN_IP_TCP" => "139,445", "DCERPC_NCADG_IP_UDP" => "138,1024:",
+		"DCERPC_NCACN_IP_LONG" => "135,139,445,593,1024:", "DCERPC_NCACN_UDP_LONG" => "135,1024:",
+		"DCERPC_NCACN_UDP_SHORT" => "135,593,1024:", "DCERPC_NCACN_TCP" => "2103,2105,2107",
+		"DCERPC_BRIGHTSTORE" => "6503,6504"
+	);
+
 	/////////////////////////////
 	/* preprocessor code */
 	/* def perform_stat */
@@ -1061,13 +1084,14 @@ EOD;
 	if (!empty($snortcfg['flow_depth']))
 		$def_flow_depth_type = $snortcfg['flow_depth'];
 
+	$http_ports = str_replace(",", " ", $ports['http_ports']);
 	/* def http_inspect */
 	$http_inspect = <<<EOD
 # HTTP Inspect  #
 preprocessor http_inspect: global iis_unicode_map unicode.map 1252 compress_depth 65535 decompress_depth 65535
 
 preprocessor http_inspect_server: server default \
-                        ports  { 80 8080 }  \
+                        ports  { {$http_ports }  \
                         non_strict \
                         non_rfc_char  { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 }  \
                         flow_depth {$def_flow_depth_type}  \
@@ -1138,11 +1162,12 @@ preprocessor ftp_telnet_protocol: ftp client default \
 	
 EOD;
 
+	$smtp_ports = str_replace(",", " ", $ports['mail_ports']);
 	/* def smtp_preprocessor */
 	$smtp_preprocessor = <<<EOD
 # SMTP preprocessor #
 preprocessor SMTP: \
-    ports { 25 465 691 } \
+    ports { {$mail_ports} } \
     inspection_type stateful \
     normalize cmds \
     valid_cmds { MAIL RCPT HELP HELO ETRN EHLO EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET SEND SAML SOML AUTH TURN ETRN PIPELINING \
@@ -1173,10 +1198,11 @@ preprocessor sfportscan: scan_type { all } \
 	
 EOD;
 
+	$sun_rpc_ports = str_replace(",", " ", $ports['sun_rpc_ports']);
 	/* def other_preprocs */
 	$other_preprocs = <<<EOD
 # Other preprocs #
-preprocessor rpc_decode: 111 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779
+preprocessor rpc_decode: {$sun_rpc_ports}
 
 # Back Orifice
 preprocessor bo
@@ -1188,17 +1214,18 @@ EOD;
 # DCE/RPC 2   #
 preprocessor dcerpc2: memcap 102400, events [smb, co, cl]
 preprocessor dcerpc2_server: default, policy WinXP, \
-    detect [smb [139,445], tcp 135, udp 135, rpc-over-http-server 593], \
+    detect [smb [{$ports['smb_ports']}], tcp 135, udp 135, rpc-over-http-server 593], \
     autodetect [tcp 1025:, udp 1025:, rpc-over-http-server 1025:], \
     smb_max_chain 3
 	
 EOD;
 
+	$dns_ports = str_replace(",", " ", $ports['dns_ports']);
 	/* def dns_preprocessor */
 	$dns_preprocessor = <<<EOD
 # DNS preprocessor #
 preprocessor dns: \
-    ports { 53 } \
+    ports { {$dns_ports} } \
     enable_rdata_overflow
 	
 EOD;
@@ -1222,30 +1249,6 @@ EOD;
 		"aim_servers" => "64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24"
 	    );
 
-	/* if user has defined a custom ssh port, use it */
-	if(is_array($config['system']['ssh']) && isset($config['system']['ssh']['port']))
-		$ssh_port = $config['system']['ssh']['port'];
-	else
-		$ssh_port = "22";
-	$ports = array(
-		"dns_ports" => "53", "smtp_ports" => "25", "mail_ports" => "25,143,465,691",
-		"http_ports" => "80", "oracle_ports" => "1521", "mssql_ports" => "1433",
-		"telnet_ports" => "23","snmp_ports" => "161", "ftp_ports" => "21",
-		"ssh_ports" => $ssh_port, "pop2_ports" => "109", "pop3_ports" => "110", 
-		"imap_ports" => "143", "sip_proxy_ports" => "5060:5090,16384:32768",
-		"sip_ports" => "5060:5090,16384:32768", "auth_ports" => "113", "finger_ports" => "79", 
-		"irc_ports" => "6665,6666,6667,6668,6669,7000", "smb_ports" => "139,445",
-		"nntp_ports" => "119", "rlogin_ports" => "513", "rsh_ports" => "514",
-		"ssl_ports" => "443,465,563,636,989,990,992,993,994,995",
-		"ssl_ports_ignore" => "443,465,563,636,989,990,992,993,994,995",
-		"file_data_ports" => "\$HTTP_PORTS,110,143", "shellcode_ports" => "!80", 
-		"sun_rpc_ports" => "111,32770,32771,32772,32773,32774,32775,32776,32777,32778,32779",
-		"DCERPC_NCACN_IP_TCP" => "139,445", "DCERPC_NCADG_IP_UDP" => "138,1024:",
-		"DCERPC_NCACN_IP_LONG" => "135,139,445,593,1024:", "DCERPC_NCACN_UDP_LONG" => "135,1024:",
-		"DCERPC_NCACN_UDP_SHORT" => "135,593,1024:", "DCERPC_NCACN_TCP" => "2103,2105,2107",
-		"DCERPC_BRIGHTSTORE" => "6503,6504"
-	);
-
 	$vardef = "";
 	foreach ($servers as $alias => $avalue) {
 		if (!empty($snortcfg[$alias]))
@@ -1259,7 +1262,7 @@ EOD;
 			$ports[$alias] = $snortcfg["def_{$alias}"];
 		$portvardef .= "portvar " . strtoupper($alias) . " [" . $ports[$alias] . "]\n";
 	}
-	$def_ssl_ports_ignore = str_replace(",", " ", $ports['ssl_ports_ignore']);
+	$def_ssl_ports_ignore = str_replace(",", " ", $ports['ssl_ports']);
 
 	$snort_preproc = array (
 		"perform_stat", "http_inspect", "other_preprocs", "ftp_preprocessor", "smtp_preprocessor", 
@@ -1279,10 +1282,12 @@ EOD;
 		$snort_misc_include_rules .= "include {$snortcfgdir}/reference.config\n";
 	if (file_exists("{$snortcfgdir}/classification.config"))
 		$snort_misc_include_rules .= "include {$snortcfgdir}/classification.config\n";
-	if (file_exists("{$snortdir}/preproc_rules/preprocessor.rules"))
-		$snort_misc_include_rules .= "include \$PREPROC_RULE_PATH/preprocessor.rules\n";
-	if (file_exists("{$snortdir}/preproc_rules/decoder.rules"))
-		$snort_misc_include_rules .= "include \$PREPROC_RULE_PATH/decoder.rules\n";
+	if (is_dir("{$snortdir}/preproc_rules")) {
+		foreach (glob("{$snortdir}/preproc_rules/*.rules") as $file) {
+			$file = basename($file);
+			$snort_misc_include_rules .= "include \$PREPROC_RULE_PATH/{$file}\n";
+		}
+	}
 
 	/* generate rule sections to load */
 	$selected_rules_sections = "";
diff --git a/config/snort/snort_preprocessors.php b/config/snort/snort_preprocessors.php
index 29a1d7bb..339c0168 100644
--- a/config/snort/snort_preprocessors.php
+++ b/config/snort/snort_preprocessors.php
@@ -55,7 +55,6 @@ if (isset($id) && $a_nat[$id]) {
 
 	/* new options */
 	$pconfig['perform_stat'] = $a_nat[$id]['perform_stat'];
-	$pconfig['ssl_ports_ignore'] = $a_nat[$id]['def_ssl_ports_ignore'];
 	$pconfig['flow_depth'] = $a_nat[$id]['flow_depth'];
 	$pconfig['max_queued_bytes'] = $a_nat[$id]['max_queued_bytes'];
 	$pconfig['max_queued_segs'] = $a_nat[$id]['max_queued_segs'];
@@ -75,7 +74,6 @@ if ($_POST) {
 	/* if no errors write to conf */
 	if (!$input_errors) {
 		/* post new options */
-		if ($_POST['ssl_ports_ignore'] != "") { $natent['def_ssl_ports_ignore'] = $_POST['ssl_ports_ignore']; }else{ $natent['def_ssl_ports_ignore'] = ""; }
 		if ($_POST['flow_depth'] != "") { $natent['flow_depth'] = $_POST['flow_depth']; }else{ $natent['flow_depth'] = ""; }
 		if ($_POST['max_queued_bytes'] != "") { $natent['max_queued_bytes'] = $_POST['max_queued_bytes']; }else{ $natent['max_queued_bytes'] = ""; }
 		if ($_POST['max_queued_segs'] != "") { $natent['max_queued_segs'] = $_POST['max_queued_segs']; }else{ $natent['max_queued_segs'] = ""; }
@@ -300,16 +298,6 @@ include_once("head.inc");
 		The DNS preprocessor decodes DNS Response traffic and detects some
 		vulnerabilities.</td>
 	</tr>
-	<tr>
-		<td width="22%" valign="top" class="vncell">Define SSL_IGNORE</td>
-		<td width="78%" class="vtable"><input name="ssl_ports_ignore"
-			type="text" class="formfld" id="ssl_ports_ignore" size="40"
-			value="<?=htmlspecialchars($pconfig['ssl_ports_ignore']);?>"> <br>
-		<span class="vexpl"> Encrypted traffic should be ignored by Snort
-		for both performance reasons and to reduce false positives.<br>
-		Default: "443 465 563 636 989 990 992 993 994 995".</span> <strong>Please
-		use spaces and not commas.</strong></td>
-	</tr>
 	<tr>
 		<td width="22%" valign="top">&nbsp;</td>
 				<td width="78%">
-- 
cgit v1.2.3