From ae3323845cd71bfae33f12203e6362f03fc634d9 Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Wed, 23 Jul 2014 15:37:29 -0400 Subject: Update Snort package to latest 2.9.6.2 binary and fix some GUI bugs. --- config/snort/snort.inc | 1310 +----------------------- config/snort/snort.priv.inc | 2 + config/snort/snort.xml | 24 +- config/snort/snort_alerts.php | 2 + config/snort/snort_blocked.php | 2 +- config/snort/snort_check_cron_misc.inc | 2 +- config/snort/snort_check_for_rule_updates.php | 10 +- config/snort/snort_conf_template.inc | 112 ++ config/snort/snort_define_servers.php | 2 + config/snort/snort_download_rules.php | 3 +- config/snort/snort_download_updates.php | 2 +- config/snort/snort_edit_hat_data.php | 4 + config/snort/snort_generate_conf.php | 1351 +++++++++++++++++++++++++ config/snort/snort_interfaces.php | 73 +- config/snort/snort_interfaces_edit.php | 92 +- config/snort/snort_interfaces_global.php | 4 +- config/snort/snort_ip_reputation.php | 2 + config/snort/snort_migrate_config.php | 96 +- config/snort/snort_post_install.php | 1348 +----------------------- config/snort/snort_preprocessors.php | 476 ++++++++- config/snort/snort_rules.php | 6 + config/snort/snort_rulesets.php | 2 + 22 files changed, 2261 insertions(+), 2664 deletions(-) create mode 100644 config/snort/snort_conf_template.inc create mode 100644 config/snort/snort_generate_conf.php (limited to 'config/snort') diff --git a/config/snort/snort.inc b/config/snort/snort.inc index 47274e77..362002cd 100755 --- a/config/snort/snort.inc +++ b/config/snort/snort.inc @@ -49,30 +49,28 @@ global $rebuild_rules, $pfSense_snort_version; // Grab the Snort binary version programmatically, but if that fails use a safe default $snortver = array(); exec("/usr/local/bin/snort -V 2>&1 |/usr/bin/grep Version | /usr/bin/cut -c20-26", $snortver); -$snort_version = $snortver[0]; -if (empty($snort_version)) - $snort_version = "2.9.6.0"; /* Used to indicate latest version of this include file has been loaded */ -$pfSense_snort_version = "3.0.13"; +$pfSense_snort_version = "3.1"; /* get installed package version for display */ $snort_package_version = "Snort {$config['installedpackages']['package'][get_pkg_id("snort")]['version']}"; // Define SNORTDIR and SNORTLIBDIR constants according to pfSense version $pfs_version=substr(trim(file_get_contents("/etc/version")),0,3); -if ($pfs_version > 2.0) { - define("SNORTDIR", "/usr/pbi/snort-" . php_uname("m") . "/etc/snort"); - define("SNORTLIBDIR", "/usr/pbi/snort-" . php_uname("m") . "/lib/snort"); -} -else { +if ($pfs_version < 2.1) { define("SNORTDIR", "/usr/local/etc/snort"); define("SNORTLIBDIR", "/usr/local/lib/snort"); } +else { + define("SNORTDIR", "/usr/pbi/snort-" . php_uname("m") . "/etc/snort"); + define("SNORTLIBDIR", "/usr/pbi/snort-" . php_uname("m") . "/lib/snort"); +} /* Define some useful constants for Snort */ /* Be sure to include trailing slash on the URL defines */ define("SNORTLOGDIR", "/var/log/snort"); +define("SNORT_BIN_VERSION", "2.9.6.2"); define("ET_DNLD_FILENAME", "emerging.rules.tar.gz"); define("ETPRO_DNLD_FILENAME", "etpro.rules.tar.gz"); define("GPLV2_DNLD_FILENAME", "community-rules.tar.gz"); @@ -761,7 +759,7 @@ function snort_rm_blocked_install_cron($should_install) { // Now either install the new or updated cron job, // or return if "rm_blocked" is disabled if ($should_install) { - $command = "/usr/bin/nice -n20 /usr/local/sbin/expiretable -t $snort_rm_blocked_expire snort2c"; + $command = "/usr/bin/nice -n20 /sbin/pfctl -q -t snort2c -T expire {$snort_rm_blocked_expire}"; install_cron_job($command, $should_install, $snort_rm_blocked_min, $snort_rm_blocked_hr, $snort_rm_blocked_mday, $snort_rm_blocked_month, $snort_rm_blocked_wday, "root"); } } @@ -849,7 +847,7 @@ function sync_snort_package_config() { /* do not start config build if rules is empty or there are no Snort settings */ if (!is_array($config['installedpackages']['snortglobal']) || !is_array($config['installedpackages']['snortglobal']['rule'])) { - @unlink("{$rcdir}/snort.sh"); + @unlink("{$rcdir}snort.sh"); conf_mount_ro(); return; } @@ -1936,11 +1934,8 @@ esac EOD; /* write out snort.sh */ - if (!@file_put_contents("{$rcdir}/snort.sh", $snort_sh_text)) { - log_error("Could not open {$rcdir}/snort.sh for writing."); - return; - } - @chmod("{$rcdir}/snort.sh", 0755); + @file_put_contents("{$rcdir}snort.sh", $snort_sh_text); + @chmod("{$rcdir}snort.sh", 0755); } function snort_generate_barnyard2_conf($snortcfg, $if_real) { @@ -2152,7 +2147,7 @@ function snort_deinstall() { log_error(gettext("[Snort] Package deletion requested... removing all files...")); mwexec("/bin/rm -rf {$snortdir}"); mwexec("/bin/rm -rf {$snortlibdir}/dynamicrules"); - mwexec("/bin/rm -f {$rcdir}/snort.sh"); + mwexec("/bin/rm -f {$rcdir}snort.sh"); mwexec("/bin/rm -rf /usr/local/pkg/snort"); mwexec("/bin/rm -rf /usr/local/www/snort"); mwexec("/bin/rm -rf /usr/local/etc/snort"); @@ -2515,1283 +2510,44 @@ function snort_filter_preproc_rules($snortcfg, &$active_rules, $persist_log = fa function snort_generate_conf($snortcfg) { + /********************************************************/ + /* This function generates the snort.conf file for the */ + /* passed interface using stored values from the Snort */ + /* package configuration. */ + /********************************************************/ + global $config, $g, $rebuild_rules; + // Exit if there are no configured Snort interfaces + if (!is_array($config['installedpackages']['snortglobal']['rule'])) + return; + $snortdir = SNORTDIR; $snortlibdir = SNORTLIBDIR; $snortlogdir = SNORTLOGDIR; $flowbit_rules_file = FLOWBITS_FILENAME; $snort_enforcing_rules_file = ENFORCING_RULES_FILENAME; - if (!is_array($config['installedpackages']['snortglobal']['rule'])) - return; - - conf_mount_rw(); - - /* See if we should protect and not modify the preprocessor rules files */ - if (!empty($snortcfg['protect_preproc_rules'])) - $protect_preproc_rules = $snortcfg['protect_preproc_rules']; - else - $protect_preproc_rules = "off"; - $if_real = get_real_interface($snortcfg['interface']); $snort_uuid = $snortcfg['uuid']; $snortcfgdir = "{$snortdir}/snort_{$snort_uuid}_{$if_real}"; - /* custom home nets */ - $home_net_list = snort_build_list($snortcfg, $snortcfg['homelistname']); - $home_net = implode(",", $home_net_list); - - $external_net = '!$HOME_NET'; - if (!empty($snortcfg['externallistname']) && $snortcfg['externallistname'] != 'default') { - $external_net_list = snort_build_list($snortcfg, $snortcfg['externallistname']); - $external_net = implode(",", $external_net_list); - } - - /* user added arguments */ - $snort_config_pass_thru = str_replace("\r", "", base64_decode($snortcfg['configpassthru'])); - // Remove the trailing newline - $snort_config_pass_thru = rtrim($snort_config_pass_thru); - - /* create a few directories and ensure the sample files are in place */ - $snort_dirs = array( $snortdir, $snortcfgdir, "{$snortcfgdir}/rules", - "{$snortlogdir}/snort_{$if_real}{$snort_uuid}", - "{$snortlogdir}/snort_{$if_real}{$snort_uuid}/barnyard2", - "{$snortcfgdir}/preproc_rules", - "dynamicrules" => "{$snortlibdir}/dynamicrules", - "dynamicengine" => "{$snortlibdir}/dynamicengine", - "dynamicpreprocessor" => "{$snortcfgdir}/dynamicpreprocessor" - ); - foreach ($snort_dirs as $dir) { - if (!is_dir($dir)) - safe_mkdir($dir); - } - - /********************************************************************/ - /* For fail-safe on an initial startup following installation, and */ - /* before a rules update has occurred, copy the default config */ - /* files to the interface directory. If files already exist in */ - /* the interface directory, or they are newer, that means a rule */ - /* update has been done and we should leave the customized files */ - /* put in place by the rules update process. */ - /********************************************************************/ - $snort_files = array("gen-msg.map", "classification.config", "reference.config", "attribute_table.dtd", - "sid-msg.map", "unicode.map", "threshold.conf", "preproc_rules/preprocessor.rules", - "preproc_rules/decoder.rules", "preproc_rules/sensitive-data.rules" - ); - foreach ($snort_files as $file) { - if (file_exists("{$snortdir}/{$file}")) { - $ftime = filemtime("{$snortdir}/{$file}"); - if (!file_exists("{$snortcfgdir}/{$file}") || ($ftime > filemtime("{$snortcfgdir}/{$file}"))) - @copy("{$snortdir}/{$file}", "{$snortcfgdir}/{$file}"); - } - } - - /* define alertsystemlog */ - $alertsystemlog_type = ""; - if ($snortcfg['alertsystemlog'] == "on") - $alertsystemlog_type = "output alert_syslog: log_alert"; - - /* define snortunifiedlog */ - $snortunifiedlog_type = ""; - if ($snortcfg['barnyard_enable'] == "on") { - if (isset($snortcfg['unified2_log_limit'])) - $u2_log_limit = "limit {$snortcfg['unified2_log_limit']}"; - else - $u2_log_limit = "limit 128"; - - $snortunifiedlog_type = "output unified2: filename snort_{$snort_uuid}_{$if_real}.u2, {$u2_log_limit}"; - if ($snortcfg['barnyard_log_vlan_events'] == 'on') - $snortunifiedlog_type .= ", vlan_event_types"; - if ($snortcfg['barnyard_log_mpls_events'] == 'on') - $snortunifiedlog_type .= ", mpls_event_types"; - } - - /* define spoink */ - $spoink_type = ""; - if ($snortcfg['blockoffenders7'] == "on") { - $pfkill = ""; - if ($snortcfg['blockoffenderskill'] == "on") - $pfkill = "kill"; - $spoink_wlist = snort_build_list($snortcfg, $snortcfg['whitelistname'], true); - /* write Pass List */ - @file_put_contents("{$snortcfgdir}/{$snortcfg['whitelistname']}", implode("\n", $spoink_wlist)); - $spoink_type = "output alert_pf: {$snortcfgdir}/{$snortcfg['whitelistname']},snort2c,{$snortcfg['blockoffendersip']},{$pfkill}"; - } - - /* define selected suppress file */ - $suppress_file_name = ""; - $suppress = snort_find_list($snortcfg['suppresslistname'], 'suppress'); - if (!empty($suppress)) { - $suppress_data = str_replace("\r", "", base64_decode($suppress['suppresspassthru'])); - @file_put_contents("{$snortcfgdir}/supp{$snortcfg['suppresslistname']}", $suppress_data); - $suppress_file_name = "include {$snortcfgdir}/supp{$snortcfg['suppresslistname']}"; - } - - /* set the snort performance model */ - $snort_performance = "ac-bnfa"; - if(!empty($snortcfg['performance'])) - $snort_performance = $snortcfg['performance']; - - /* if user has defined a custom ssh port, use it */ - if(is_array($config['system']['ssh']) && isset($config['system']['ssh']['port'])) - $ssh_port = $config['system']['ssh']['port']; - else - $ssh_port = "22"; - - /* Define an array of default values for the various preprocessor ports */ - $snort_ports = array( - "dns_ports" => "53", "smtp_ports" => "25", "mail_ports" => "25,465,587,691", - "http_ports" => "36,80,81,82,83,84,85,86,87,88,89,90,311,383,591,593,631,901,1220,1414,1533,1741,1830,2301,2381,2809,3037,3057,3128,3443,3702,4343,4848,5250,6080,6988,7000,7001,7144,7145,7510,7777,7779,8000,8008,8014,8028,8080,8081,8082,8085,8088,8090,8118,8123,8180,8181,8222,8243,8280,8300,8500,8800,8888,8899,9000,9060,9080,9090,9091,9443,9999,10000,11371,15489,29991,33300,34412,34443,34444,41080,44440,50000,50002,51423,55555,56712", - "oracle_ports" => "1024:", "mssql_ports" => "1433", "telnet_ports" => "23", - "snmp_ports" => "161", "ftp_ports" => "21,2100,3535", "ssh_ports" => $ssh_port, - "pop2_ports" => "109", "pop3_ports" => "110", "imap_ports" => "143", - "sip_ports" => "5060,5061,5600", "auth_ports" => "113", "finger_ports" => "79", - "irc_ports" => "6665,6666,6667,6668,6669,7000", "smb_ports" => "139,445", - "nntp_ports" => "119", "rlogin_ports" => "513", "rsh_ports" => "514", - "ssl_ports" => "443,465,563,636,989,992,993,994,995,7801,7802,7900,7901,7902,7903,7904,7905,7906,7907,7908,7909,7910,7911,7912,7913,7914,7915,7916,7917,7918,7919,7920", - "file_data_ports" => "\$HTTP_PORTS,110,143", "shellcode_ports" => "!80", - "sun_rpc_ports" => "111,32770,32771,32772,32773,32774,32775,32776,32777,32778,32779", - "DCERPC_NCACN_IP_TCP" => "139,445", "DCERPC_NCADG_IP_UDP" => "138,1024:", - "DCERPC_NCACN_IP_LONG" => "135,139,445,593,1024:", "DCERPC_NCACN_UDP_LONG" => "135,1024:", - "DCERPC_NCACN_UDP_SHORT" => "135,593,1024:", "DCERPC_NCACN_TCP" => "2103,2105,2107", - "DCERPC_BRIGHTSTORE" => "6503,6504", "DNP3_PORTS" => "20000", "MODBUS_PORTS" => "502", - "GTP_PORTS" => "2123,2152,3386" - ); - - /* Check for defined Aliases that may override default port settings as we build the portvars array */ - $portvardef = ""; - foreach ($snort_ports as $alias => $avalue) { - if (!empty($snortcfg["def_{$alias}"]) && is_alias($snortcfg["def_{$alias}"])) - $snort_ports[$alias] = trim(filter_expand_alias($snortcfg["def_{$alias}"])); - $snort_ports[$alias] = preg_replace('/\s+/', ',', trim($snort_ports[$alias])); - $portvardef .= "portvar " . strtoupper($alias) . " [" . $snort_ports[$alias] . "]\n"; - } - - /* Define the default ports for the Stream5 preprocessor (formatted for easier reading in the snort.conf file) */ - $stream5_ports_client = "21 22 23 25 42 53 70 79 109 110 111 113 119 135 136 137 \\\n"; - $stream5_ports_client .= "\t 139 143 161 445 513 514 587 593 691 1433 1521 1741 \\\n"; - $stream5_ports_client .= "\t 2100 3306 6070 6665 6666 6667 6668 6669 7000 8181 \\\n"; - $stream5_ports_client .= "\t 32770 32771 32772 32773 32774 32775 32776 32777 \\\n"; - $stream5_ports_client .= "\t 32778 32779"; - $stream5_ports_both = "80 81 82 83 84 85 86 87 88 89 90 110 311 383 443 465 563 \\\n"; - $stream5_ports_both .= "\t 591 593 631 636 901 989 992 993 994 995 1220 1414 1533 \\\n"; - $stream5_ports_both .= "\t 1830 2301 2381 2809 3037 3057 3128 3443 3702 4343 4848 \\\n"; - $stream5_ports_both .= "\t 5250 6080 6988 7907 7000 7001 7144 7145 7510 7802 7777 \\\n"; - $stream5_ports_both .= "\t 7779 7801 7900 7901 7902 7903 7904 7905 7906 7908 7909 \\\n"; - $stream5_ports_both .= "\t 7910 7911 7912 7913 7914 7915 7916 7917 7918 7919 7920 \\\n"; - $stream5_ports_both .= "\t 8000 8008 8014 8028 8080 8081 8082 8085 8088 8090 8118 \\\n"; - $stream5_ports_both .= "\t 8123 8180 8222 8243 8280 8300 8500 8800 8888 8899 9000 \\\n"; - $stream5_ports_both .= "\t 9060 9080 9090 9091 9443 9999 10000 11371 15489 29991 \\\n"; - $stream5_ports_both .= "\t 33300 34412 34443 34444 41080 44440 50000 50002 51423 \\\n"; - $stream5_ports_both .= "\t 55555 56712"; - - ///////////////////////////// - /* preprocessor code */ - /* def perform_stat */ - $perform_stat = << '0') { - $ftp_telnet_protocol .= " \\\n\tayt_attack_thresh "; - if ($snortcfg['ftp_telnet_ayt_attack_threshold'] != "") - $ftp_telnet_protocol .= $snortcfg['ftp_telnet_ayt_attack_threshold']; - else - $ftp_telnet_protocol .= "20"; - } - - // Setup the standard FTP commands used for all FTP Server engines - $ftp_cmds = << \ - cmd_validity EPSV < [ { char 12 | char A char L char L } ] > \ - cmd_validity MACB < string > \ - cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \ - cmd_validity MODE < char ASBCZ > \ - cmd_validity PORT < host_port > \ - cmd_validity PROT < char CSEP > \ - cmd_validity STRU < char FRPO [ string ] > \ - cmd_validity TYPE < { char AE [ char NTC ] | char I | char L [ number ] } > - -EOD; - - // Configure all the FTP_Telnet FTP protocol options - // Iterate and configure the FTP Client engines - $ftp_default_client_engine = array( "name" => "default", "bind_to" => "all", "max_resp_len" => 256, - "telnet_cmds" => "no", "ignore_telnet_erase_cmds" => "yes", - "bounce" => "yes", "bounce_to_net" => "", "bounce_to_port" => "" ); - - if (!is_array($snortcfg['ftp_client_engine']['item'])) - $snortcfg['ftp_client_engine']['item'] = array(); - - // If no FTP client engine is configured, use the default - // to keep from breaking Snort. - if (empty($snortcfg['ftp_client_engine']['item'])) - $snortcfg['ftp_client_engine']['item'][] = $ftp_default_client_engine; - $ftp_client_engine = ""; - - foreach ($snortcfg['ftp_client_engine']['item'] as $f => $v) { - $buffer = "preprocessor ftp_telnet_protocol: ftp client "; - if ($v['name'] == "default" && $v['bind_to'] == "all") - $buffer .= "default \\\n"; - elseif (is_alias($v['bind_to'])) { - $tmp = trim(filter_expand_alias($v['bind_to'])); - if (!empty($tmp)) { - $tmp = preg_replace('/\s+/', ' ', $tmp); - $buffer .= "{$tmp} \\\n"; - } - else { - log_error("[snort] ERROR: unable to resolve IP Address Alias '{$v['bind_to']}' for FTP client '{$v['name']}' ... skipping entry."); - continue; - } - } - else { - log_error("[snort] ERROR: unable to resolve IP Address Alias '{$v['bind_to']}' for FTP client '{$v['name']}' ... skipping entry."); - continue; - } - - if ($v['max_resp_len'] == "") - $buffer .= "\tmax_resp_len 256 \\\n"; - else - $buffer .= "\tmax_resp_len {$v['max_resp_len']} \\\n"; - - $buffer .= "\ttelnet_cmds {$v['telnet_cmds']} \\\n"; - $buffer .= "\tignore_telnet_erase_cmds {$v['ignore_telnet_erase_cmds']} \\\n"; - - if ($v['bounce'] == "yes") { - if (is_alias($v['bounce_to_net']) && is_alias($v['bounce_to_port'])) { - $net = trim(filter_expand_alias($v['bounce_to_net'])); - $port = trim(filter_expand_alias($v['bounce_to_port'])); - if (!empty($net) && !empty($port) && - snort_is_single_addr_alias($v['bounce_to_net']) && - (is_port($port) || is_portrange($port))) { - $port = preg_replace('/\s+/', ',', $port); - // Change port range delimiter to comma for ftp_telnet client preprocessor - if (is_portrange($port)) - $port = str_replace(":", ",", $port); - $buffer .= "\tbounce yes \\\n"; - $buffer .= "\tbounce_to { {$net},{$port} }\n"; - } - else { - // One or both of the BOUNCE_TO alias values is not right, - // so figure out which and log an appropriate error. - if (empty($net) || !snort_is_single_addr_alias($v['bounce_to_net'])) - log_error("[snort] ERROR: illegal value for bounce_to Address Alias [{$v['bounce_to_net']}] for FTP client engine [{$v['name']}] ... omitting 'bounce_to' option for this client engine."); - if (empty($port) || !(is_port($port) || is_portrange($port))) - log_error("[snort] ERROR: illegal value for bounce_to Port Alias [{$v['bounce_to_port']}] for FTP client engine [{$v['name']}] ... omitting 'bounce_to' option for this client engine."); - $buffer .= "\tbounce yes\n"; - } - } - else - $buffer .= "\tbounce yes\n"; - } - else - $buffer .= "\tbounce no\n"; - - // Add this FTP client engine to the master string - $ftp_client_engine .= "{$buffer}\n"; - } - // Trim final trailing newline - rtrim($ftp_client_engine); - - // Iterate and configure the FTP Server engines - $ftp_default_server_engine = array( "name" => "default", "bind_to" => "all", "ports" => "default", - "telnet_cmds" => "no", "ignore_telnet_erase_cmds" => "yes", - "ignore_data_chan" => "no", "def_max_param_len" => 100 ); - - if (!is_array($snortcfg['ftp_server_engine']['item'])) - $snortcfg['ftp_server_engine']['item'] = array(); - - // If no FTP server engine is configured, use the default - // to keep from breaking Snort. - if (empty($snortcfg['ftp_server_engine']['item'])) - $snortcfg['ftp_server_engine']['item'][] = $ftp_default_server_engine; - $ftp_server_engine = ""; - - foreach ($snortcfg['ftp_server_engine']['item'] as $f => $v) { - $buffer = "preprocessor ftp_telnet_protocol: ftp server "; - if ($v['name'] == "default" && $v['bind_to'] == "all") - $buffer .= "default \\\n"; - elseif (is_alias($v['bind_to'])) { - $tmp = trim(filter_expand_alias($v['bind_to'])); - if (!empty($tmp)) { - $tmp = preg_replace('/\s+/', ' ', $tmp); - $buffer .= "{$tmp} \\\n"; - } - else { - log_error("[snort] ERROR: unable to resolve IP Address Alias '{$v['bind_to']}' for FTP server '{$v['name']}' ... skipping entry."); - continue; - } - } - else { - log_error("[snort] ERROR: unable to resolve IP Address Alias '{$v['bind_to']}' for FTP server '{$v['name']}' ... skipping entry."); - continue; - } - - if ($v['def_max_param_len'] == "") - $buffer .= "\tdef_max_param_len 100 \\\n"; - elseif ($v['def_max_param_len'] <> '0') - $buffer .= "\tdef_max_param_len {$v['def_max_param_len']} \\\n"; - - if ($v['ports'] == "default" || !is_alias($v['ports']) || empty($v['ports'])) - $buffer .= "\tports { {$ftp_ports} } \\\n"; - elseif (is_alias($v['ports'])) { - $tmp = trim(filter_expand_alias($v['ports'])); - if (!empty($tmp)) { - $tmp = preg_replace('/\s+/', ' ', $tmp); - $tmp = snort_expand_port_range($tmp, ' '); - $buffer .= "\tports { {$tmp} } \\\n"; - } - else { - log_error("[snort] ERROR: unable to resolve Port Alias '{$v['ports']}' for FTP server '{$v['name']}' ... reverting to defaults."); - $buffer .= "\tports { {$ftp_ports} } \\\n"; - } - } - - $buffer .= "\ttelnet_cmds {$v['telnet_cmds']} \\\n"; - $buffer .= "\tignore_telnet_erase_cmds {$v['ignore_telnet_erase_cmds']} \\\n"; - if ($v['ignore_data_chan'] == "yes") - $buffer .= "\tignore_data_chan yes \\\n"; - $buffer .= "{$ftp_cmds}\n"; - - // Add this FTP server engine to the master string - $ftp_server_engine .= $buffer; - } - // Remove trailing newlines - rtrim($ftp_server_engine); - - $ftp_preprocessor = << "\$HOME_NET", "smtp_servers" => "\$HOME_NET", "http_servers" => "\$HOME_NET", - "www_servers" => "\$HOME_NET", "sql_servers" => "\$HOME_NET", "telnet_servers" => "\$HOME_NET", - "snmp_servers" => "\$HOME_NET", "ftp_servers" => "\$HOME_NET", "ssh_servers" => "\$HOME_NET", - "pop_servers" => "\$HOME_NET", "imap_servers" => "\$HOME_NET", "sip_proxy_ip" => "\$HOME_NET", - "sip_servers" => "\$HOME_NET", "rpc_servers" => "\$HOME_NET", "dnp3_server" => "\$HOME_NET", - "dnp3_client" => "\$HOME_NET", "modbus_server" => "\$HOME_NET", "modbus_client" => "\$HOME_NET", - "enip_server" => "\$HOME_NET", "enip_client" => "\$HOME_NET", - "aim_servers" => "64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24" - ); - - // Change old name from "var" to new name of "ipvar" for IP variables because - // Snort is deprecating the old "var" name in newer versions. - $ipvardef = ""; - foreach ($snort_servers as $alias => $avalue) { - if (!empty($snortcfg["def_{$alias}"]) && is_alias($snortcfg["def_{$alias}"])) { - $avalue = trim(filter_expand_alias($snortcfg["def_{$alias}"])); - $avalue = preg_replace('/\s+/', ',', trim($avalue)); - } - $ipvardef .= "ipvar " . strtoupper($alias) . " [{$avalue}]\n"; - } - - $snort_preproc_libs = array( - "dce_rpc_2" => "dce2_preproc", "dns_preprocessor" => "dns_preproc", "ftp_preprocessor" => "ftptelnet_preproc", "imap_preproc" => "imap_preproc", - "pop_preproc" => "pop_preproc", "reputation_preproc" => "reputation_preproc", "sensitive_data" => "sdf_preproc", - "sip_preproc" => "sip_preproc", "gtp_preproc" => "gtp_preproc", "smtp_preprocessor" => "smtp_preproc", "ssh_preproc" => "ssh_preproc", - "ssl_preproc" => "ssl_preproc", "dnp3_preproc" => "dnp3_preproc", "modbus_preproc" => "modbus_preproc" - ); - $snort_preproc = array ( - "perform_stat", "other_preprocs", "ftp_preprocessor", "smtp_preprocessor", "ssl_preproc", "sip_preproc", "gtp_preproc", "ssh_preproc", "sf_portscan", - "dce_rpc_2", "dns_preprocessor", "sensitive_data", "pop_preproc", "imap_preproc", "dnp3_preproc", "modbus_preproc", "reputation_preproc" - ); - $default_disabled_preprocs = array( - "sf_portscan", "gtp_preproc", "sensitive_data", "dnp3_preproc", "modbus_preproc", "reputation_preproc", "perform_stat" - ); - $snort_preprocessors = ""; - foreach ($snort_preproc as $preproc) { - if ($snortcfg[$preproc] == 'on' || empty($snortcfg[$preproc]) ) { - - /* If preprocessor is not explicitly "on" or "off", then default to "off" if in our default disabled list */ - if (empty($snortcfg[$preproc]) && in_array($preproc, $default_disabled_preprocs)) - continue; - - /* NOTE: The $$ is not a bug. It is an advanced feature of php */ - if (!empty($snort_preproc_libs[$preproc])) { - $preproclib = "libsf_" . $snort_preproc_libs[$preproc]; - if (!file_exists($snort_dirs['dynamicpreprocessor'] . "{$preproclib}.so")) { - if (file_exists("{$snortlibdir}/dynamicpreprocessor/{$preproclib}.so")) { - @copy("{$snortlibdir}/dynamicpreprocessor/{$preproclib}.so", "{$snort_dirs['dynamicpreprocessor']}/{$preproclib}.so"); - $snort_preprocessors .= $$preproc; - $snort_preprocessors .= "\n"; - } else - log_error("Could not find the {$preproclib} file. Snort might error out!"); - } else { - $snort_preprocessors .= $$preproc; - $snort_preprocessors .= "\n"; - } - } else { - $snort_preprocessors .= $$preproc; - $snort_preprocessors .= "\n"; - } - } - } - // Remove final trailing newline - $snort_preprocessors = rtrim($snort_preprocessors); - - $snort_misc_include_rules = ""; - if (file_exists("{$snortcfgdir}/reference.config")) - $snort_misc_include_rules .= "include {$snortcfgdir}/reference.config\n"; - if (file_exists("{$snortcfgdir}/classification.config")) - $snort_misc_include_rules .= "include {$snortcfgdir}/classification.config\n"; - if (!file_exists("{$snortcfgdir}/preproc_rules/decoder.rules") || !file_exists("{$snortcfgdir}/preproc_rules/preprocessor.rules")) { - $snort_misc_include_rules .= "config autogenerate_preprocessor_decoder_rules\n"; - log_error("[Snort] Seems preprocessor and/or decoder rules are missing, enabling autogeneration of them in conf file."); - } - - /* generate rule sections to load */ - /* The files are always configured so the update process is easier */ - $selected_rules_sections = "include \$RULE_PATH/{$snort_enforcing_rules_file}\n"; - $selected_rules_sections .= "include \$RULE_PATH/{$flowbit_rules_file}\n"; - $selected_rules_sections .= "include \$RULE_PATH/custom.rules\n"; - - // Remove trailing newlines - $snort_misc_include_rules = rtrim($snort_misc_include_rules); - $selected_rules_sections = rtrim($selected_rules_sections); + // Write out snort.conf file using contents of $snort_conf_text + @file_put_contents("{$snortcfgdir}/snort.conf", $snort_conf_text); - /* Create the actual rules files and save in the interface directory */ + // Create the actual rules files and save them in the interface directory snort_prepare_rule_files($snortcfg, $snortcfgdir); - $cksumcheck = "all"; - if ($snortcfg['cksumcheck'] == 'on') - $cksumcheck = "none"; - - /* Pull in user-configurable detection config options */ - $cfg_detect_settings = "search-method {$snort_performance} max-pattern-len 20 max_queue_events 5"; - if ($snortcfg['fpm_split_any_any'] == "on") - $cfg_detect_settings .= " split-any-any"; - if ($snortcfg['fpm_search_optimize'] == "on") - $cfg_detect_settings .= " search-optimize"; - if ($snortcfg['fpm_no_stream_inserts'] == "on") - $cfg_detect_settings .= " no_stream_inserts"; - - /* Pull in user-configurable options for Frag3 preprocessor settings */ - /* Get global Frag3 options first and put into a string */ - $frag3_global = "preprocessor frag3_global: "; - if (!empty($snortcfg['frag3_memcap']) || $snortcfg['frag3_memcap'] == "0") - $frag3_global .= "memcap {$snortcfg['frag3_memcap']}, "; - else - $frag3_global .= "memcap 4194304, "; - if (!empty($snortcfg['frag3_max_frags'])) - $frag3_global .= "max_frags {$snortcfg['frag3_max_frags']}"; - else - $frag3_global .= "max_frags 8192"; - if ($snortcfg['frag3_detection'] == "off") - $frag3_global .= ", disabled"; - - $frag3_default_tcp_engine = array( "name" => "default", "bind_to" => "all", "policy" => "bsd", - "timeout" => 60, "min_ttl" => 1, "detect_anomalies" => "on", - "overlap_limit" => 0, "min_frag_len" => 0 ); - $frag3_engine = ""; - - // Now iterate configured Frag3 engines and write them to a string if enabled - if ($snortcfg['frag3_detection'] == "on") { - if (!is_array($snortcfg['frag3_engine']['item'])) - $snortcfg['frag3_engine']['item'] = array(); - - // If no frag3 tcp engine is configured, use the default - if (empty($snortcfg['frag3_engine']['item'])) - $snortcfg['frag3_engine']['item'][] = $frag3_default_tcp_engine; - - foreach ($snortcfg['frag3_engine']['item'] as $f => $v) { - $frag3_engine .= "preprocessor frag3_engine: "; - $frag3_engine .= "policy {$v['policy']}"; - if ($v['bind_to'] <> "all") { - $tmp = trim(filter_expand_alias($v['bind_to'])); - if (!empty($tmp)) { - $tmp = preg_replace('/\s+/', ',', $tmp); - if (strpos($tmp, ",") !== false) - $frag3_engine .= " \\\n\tbind_to [{$tmp}]"; - else - $frag3_engine .= " \\\n\tbind_to {$tmp}"; - } - else - log_error("[snort] WARNING: unable to resolve IP List Alias '{$v['bind_to']}' for Frag3 engine '{$v['name']}' ... using 0.0.0.0 failsafe."); - } - $frag3_engine .= " \\\n\ttimeout {$v['timeout']}"; - $frag3_engine .= " \\\n\tmin_ttl {$v['min_ttl']}"; - if ($v['detect_anomalies'] == "on") { - $frag3_engine .= " \\\n\tdetect_anomalies"; - $frag3_engine .= " \\\n\toverlap_limit {$v['overlap_limit']}"; - $frag3_engine .= " \\\n\tmin_fragment_length {$v['min_frag_len']}"; - } - // Add newlines to terminate this engine - $frag3_engine .= "\n\n"; - } - // Remove trailing newline - $frag3_engine = rtrim($frag3_engine); - } - - // Grab any user-customized value for Protocol Aware Flushing (PAF) max PDUs - $paf_max_pdu_config = "config paf_max: "; - if (empty($snortcfg['max_paf']) || $snortcfg['max_paf'] == '0') - $paf_max_pdu_config .= "0"; - else - $paf_max_pdu_config .= $snortcfg['max_paf']; - - // Pull in user-configurable options for Stream5 preprocessor settings - // Get global options first and put into a string - $stream5_global = "preprocessor stream5_global: \\\n"; - if ($snortcfg['stream5_reassembly'] == "off") - $stream5_global .= "\tdisabled, \\\n"; - if ($snortcfg['stream5_track_tcp'] == "off") - $stream5_global .= "\ttrack_tcp no,"; - else { - $stream5_global .= "\ttrack_tcp yes,"; - if (!empty($snortcfg['stream5_max_tcp'])) - $stream5_global .= " \\\n\tmax_tcp {$snortcfg['stream5_max_tcp']},"; - else - $stream5_global .= " \\\n\tmax_tcp 262144,"; - } - if ($snortcfg['stream5_track_udp'] == "off") - $stream5_global .= " \\\n\ttrack_udp no,"; - else { - $stream5_global .= " \\\n\ttrack_udp yes,"; - if (!empty($snortcfg['stream5_max_udp'])) - $stream5_global .= " \\\n\tmax_udp {$snortcfg['stream5_max_udp']},"; - else - $stream5_global .= " \\\n\tmax_udp 131072,"; - } - if ($snortcfg['stream5_track_icmp'] == "on") { - $stream5_global .= " \\\n\ttrack_icmp yes,"; - if (!empty($snortcfg['stream5_max_icmp'])) - $stream5_global .= " \\\n\tmax_icmp {$snortcfg['stream5_max_icmp']},"; - else - $stream5_global .= " \\\n\tmax_icmp 65536,"; - } - else - $stream5_global .= " \\\n\ttrack_icmp no,"; - if (!empty($snortcfg['stream5_mem_cap'])) - $stream5_global .= " \\\n\tmemcap {$snortcfg['stream5_mem_cap']},"; - else - $stream5_global .= " \\\n\tmemcap 8388608,"; - - if (!empty($snortcfg['stream5_prune_log_max']) || $snortcfg['stream5_prune_log_max'] == '0') - $stream5_global .= " \\\n\tprune_log_max {$snortcfg['stream5_prune_log_max']}"; - else - $stream5_global .= " \\\n\tprune_log_max 1048576"; - if ($snortcfg['stream5_flush_on_alert'] == "on") - $stream5_global .= ", \\\n\tflush_on_alert"; - - $stream5_default_tcp_engine = array( "name" => "default", "bind_to" => "all", "policy" => "bsd", "timeout" => 30, - "max_queued_bytes" => 1048576, "detect_anomalies" => "off", "overlap_limit" => 0, - "max_queued_segs" => 2621, "require_3whs" => "off", "startup_3whs_timeout" => 0, - "no_reassemble_async" => "off", "dont_store_lg_pkts" => "off", "max_window" => 0, - "use_static_footprint_sizes" => "off", "check_session_hijacking" => "off", "ports_client" => "default", - "ports_both" => "default", "ports_server" => "none" ); - $stream5_tcp_engine = ""; - - // Now iterate configured Stream5 TCP engines and write them to a string if enabled - if ($snortcfg['stream5_reassembly'] == "on") { - if (!is_array($snortcfg['stream5_tcp_engine']['item'])) - $snortcfg['stream5_tcp_engine']['item'] = array(); - - // If no stream5 tcp engine is configured, use the default - if (empty($snortcfg['stream5_tcp_engine']['item'])) - $snortcfg['stream5_tcp_engine']['item'][] = $stream5_default_tcp_engine; - - foreach ($snortcfg['stream5_tcp_engine']['item'] as $f => $v) { - $buffer = "preprocessor stream5_tcp: "; - $buffer .= "policy {$v['policy']},"; - if ($v['bind_to'] <> "all") { - $tmp = trim(filter_expand_alias($v['bind_to'])); - if (!empty($tmp)) { - $tmp = preg_replace('/\s+/', ',', $tmp); - if (strpos($tmp, ",") !== false) - $buffer .= " \\\n\tbind_to [{$tmp}],"; - else - $buffer .= " \\\n\tbind_to {$tmp},"; - } - else { - log_error("[snort] WARNING: unable to resolve IP Address Alias [{$v['bind_to']}] for Stream5 TCP engine '{$v['name']}' ... skipping this engine."); - continue; - } - } - $stream5_tcp_engine .= $buffer; - $stream5_tcp_engine .= " \\\n\ttimeout {$v['timeout']},"; - $stream5_tcp_engine .= " \\\n\toverlap_limit {$v['overlap_limit']},"; - $stream5_tcp_engine .= " \\\n\tmax_window {$v['max_window']},"; - $stream5_tcp_engine .= " \\\n\tmax_queued_bytes {$v['max_queued_bytes']},"; - $stream5_tcp_engine .= " \\\n\tmax_queued_segs {$v['max_queued_segs']}"; - if ($v['use_static_footprint_sizes'] == "on") - $stream5_tcp_engine .= ", \\\n\tuse_static_footprint_sizes"; - if ($v['check_session_hijacking'] == "on") - $stream5_tcp_engine .= ", \\\n\tcheck_session_hijacking"; - if ($v['dont_store_lg_pkts'] == "on") - $stream5_tcp_engine .= ", \\\n\tdont_store_large_packets"; - if ($v['no_reassemble_async'] == "on") - $stream5_tcp_engine .= ", \\\n\tdont_reassemble_async"; - if ($v['detect_anomalies'] == "on") - $stream5_tcp_engine .= ", \\\n\tdetect_anomalies"; - if ($v['require_3whs'] == "on") - $stream5_tcp_engine .= ", \\\n\trequire_3whs {$v['startup_3whs_timeout']}"; - if (!empty($v['ports_client'])) { - $stream5_tcp_engine .= ", \\\n\tports client"; - if ($v['ports_client'] == " all") - $stream5_tcp_engine .= " all"; - elseif ($v['ports_client'] == "default") - $stream5_tcp_engine .= " {$stream5_ports_client}"; - else { - $tmp = trim(filter_expand_alias($v['ports_client'])); - if (!empty($tmp)) - $stream5_tcp_engine .= " " . trim(preg_replace('/\s+/', ' ', $tmp)); - else { - $stream5_tcp_engine .= " {$stream5_ports_client}"; - log_error("[snort] WARNING: unable to resolve Ports Client Alias [{$v['ports_client']}] for Stream5 TCP engine '{$v['name']}' ... using default value."); - } - } - } - if (!empty($v['ports_both'])) { - $stream5_tcp_engine .= ", \\\n\tports both"; - if ($v['ports_both'] == " all") - $stream5_tcp_engine .= " all"; - elseif ($v['ports_both'] == "default") - $stream5_tcp_engine .= " {$stream5_ports_both}"; - else { - $tmp = trim(filter_expand_alias($v['ports_both'])); - if (!empty($tmp)) - $stream5_tcp_engine .= " " . trim(preg_replace('/\s+/', ' ', $tmp)); - else { - $stream5_tcp_engine .= " {$stream5_ports_both}"; - log_error("[snort] WARNING: unable to resolve Ports Both Alias [{$v['ports_both']}] for Stream5 TCP engine '{$v['name']}' ... using default value."); - } - } - } - if (!empty($v['ports_server']) && $v['ports_server'] <> "none" && $v['ports_server'] <> "default") { - if ($v['ports_server'] == " all") { - $stream5_tcp_engine .= ", \\\n\tports server"; - $stream5_tcp_engine .= " all"; - } - else { - $tmp = trim(filter_expand_alias($v['ports_server'])); - if (!empty($tmp)) { - $stream5_tcp_engine .= ", \\\n\tports server"; - $stream5_tcp_engine .= " " . trim(preg_replace('/\s+/', ' ', $tmp)); - } - else - log_error("[snort] WARNING: unable to resolve Ports Server Alias [{$v['ports_server']}] for Stream5 TCP engine '{$v['name']}' ... defaulting to none."); - } - } - - // Make sure the "ports" parameter is set, or else default to a safe value - if (strpos($stream5_tcp_engine, "ports ") === false) - $stream5_tcp_engine .= ", \\\n\tports both all"; - - // Add a pair of newlines to terminate this engine - $stream5_tcp_engine .= "\n\n"; - } - // Trim off the final trailing newline - $stream5_tcp_engine = rtrim($stream5_tcp_engine); - } - - // Configure the Stream5 UDP engine if it and Stream5 reassembly are enabled - if ($snortcfg['stream5_track_udp'] == "off" || $snortcfg['stream5_reassembly'] == "off") - $stream5_udp_engine = ""; - else { - $stream5_udp_engine = "preprocessor stream5_udp: "; - if (!empty($snortcfg['stream5_udp_timeout'])) - $stream5_udp_engine .= "timeout {$snortcfg['stream5_udp_timeout']}"; - else - $stream5_udp_engine .= "timeout 30"; - } - - // Configure the Stream5 ICMP engine if it and Stream5 reassembly are enabled - if ($snortcfg['stream5_track_icmp'] == "on" && $snortcfg['stream5_reassembly'] == "on") { - $stream5_icmp_engine = "preprocessor stream5_icmp: "; - if (!empty($snortcfg['stream5_icmp_timeout'])) - $stream5_icmp_engine .= "timeout {$snortcfg['stream5_icmp_timeout']}"; - else - $stream5_icmp_engine .= "timeout 30"; - } - else - $stream5_icmp_engine = ""; - - // Check for and configure Host Attribute Table if enabled - $host_attrib_config = ""; - if ($snortcfg['host_attribute_table'] == "on" && !empty($snortcfg['host_attribute_data'])) { - @file_put_contents("{$snortcfgdir}/host_attributes", base64_decode($snortcfg['host_attribute_data'])); - $host_attrib_config = "# Host Attribute Table #\n"; - $host_attrib_config .= "attribute_table filename {$snortcfgdir}/host_attributes\n"; - if (!empty($snortcfg['max_attribute_hosts'])) - $host_attrib_config .= "config max_attribute_hosts: {$snortcfg['max_attribute_hosts']}\n"; - if (!empty($snortcfg['max_attribute_services_per_host'])) - $host_attrib_config .= "config max_attribute_services_per_host: {$snortcfg['max_attribute_services_per_host']}"; - } - - // Configure the HTTP_INSPECT preprocessor - // Get global options first and put into a string - $http_inspect_global = "preprocessor http_inspect: global "; - if ($snortcfg['http_inspect'] == "off") - $http_inspect_global .= "disabled "; - $http_inspect_global .= "\\\n\tiis_unicode_map unicode.map 1252 \\\n"; - $http_inspect_global .= "\tcompress_depth 65535 \\\n"; - $http_inspect_global .= "\tdecompress_depth 65535 \\\n"; - if (!empty($snortcfg['http_inspect_memcap'])) - $http_inspect_global .= "\tmemcap {$snortcfg['http_inspect_memcap']} \\\n"; - else - $http_inspect_global .= "\tmemcap 150994944 \\\n"; - if (!empty($snortcfg['http_inspect_max_gzip_mem'])) - $http_inspect_global .= "\tmax_gzip_mem {$snortcfg['http_inspect_max_gzip_mem']}"; - else - $http_inspect_global .= "\tmax_gzip_mem 838860"; - if ($snortcfg['http_inspect_proxy_alert'] == "on") - $http_inspect_global .= " \\\n\tproxy_alert"; - - $http_inspect_default_engine = array( "name" => "default", "bind_to" => "all", "server_profile" => "all", "enable_xff" => "off", - "log_uri" => "off", "log_hostname" => "off", "server_flow_depth" => 65535, "enable_cookie" => "on", - "client_flow_depth" => 1460, "extended_response_inspection" => "on", "no_alerts" => "off", - "unlimited_decompress" => "on", "inspect_gzip" => "on", "normalize_cookies" =>"on", "normalize_headers" => "on", - "normalize_utf" => "on", "normalize_javascript" => "on", "allow_proxy_use" => "off", "inspect_uri_only" => "off", - "max_javascript_whitespaces" => 200, "post_depth" => -1, "max_headers" => 0, "max_spaces" => 0, - "max_header_length" => 0, "ports" => "default" ); - $http_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['http_ports'])); - $http_inspect_servers = ""; - - // Iterate configured HTTP_INSPECT servers and write them to string if HTTP_INSPECT enabled - if ($snortcfg['http_inspect'] <> "off") { - if (!is_array($snortcfg['http_inspect_engine']['item'])) - $snortcfg['http_inspect_engine']['item'] = array(); - - // If no http_inspect_engine is configured, use the default - if (empty($snortcfg['http_inspect_engine']['item'])) - $snortcfg['http_inspect_engine']['item'][] = $http_inspect_default_engine; - - foreach ($snortcfg['http_inspect_engine']['item'] as $f => $v) { - $buffer = "preprocessor http_inspect_server: \\\n"; - if ($v['name'] == "default") - $buffer .= "\tserver default \\\n"; - elseif (is_alias($v['bind_to'])) { - $tmp = trim(filter_expand_alias($v['bind_to'])); - if (!empty($tmp)) { - $tmp = preg_replace('/\s+/', ' ', $tmp); - $buffer .= "\tserver { {$tmp} } \\\n"; - } - else { - log_error("[snort] WARNING: unable to resolve IP Address Alias [{$v['bind_to']}] for HTTP_INSPECT server '{$v['name']}' ... skipping this server engine."); - continue; - } - } - else { - log_error("[snort] WARNING: unable to resolve IP Address Alias [{$v['bind_to']}] for HTTP_INSPECT server '{$v['name']}' ... skipping this server engine."); - continue; - } - $http_inspect_servers .= $buffer; - $http_inspect_servers .= "\tprofile {$v['server_profile']} \\\n"; - - if ($v['no_alerts'] == "on") - $http_inspect_servers .= "\tno_alerts \\\n"; - - if ($v['ports'] == "default" || empty($v['ports'])) - $http_inspect_servers .= "\tports { {$http_ports} } \\\n"; - elseif (is_alias($v['ports'])) { - $tmp = trim(filter_expand_alias($v['ports'])); - if (!empty($tmp)) { - $tmp = preg_replace('/\s+/', ' ', $tmp); - $tmp = snort_expand_port_range($tmp, ' '); - $http_inspect_servers .= "\tports { {$tmp} } \\\n"; - } - else { - log_error("[snort] WARNING: unable to resolve Ports Alias [{$v['ports']}] for HTTP_INSPECT server '{$v['name']}' ... using safe default instead."); - $http_inspect_servers .= "\tports { {$http_ports} } \\\n"; - } - } - else { - log_error("[snort] WARNING: unable to resolve Ports Alias [{$v['ports']}] for HTTP_INSPECT server '{$v['name']}' ... using safe default instead."); - $http_inspect_servers .= "\tports { {$http_ports} } \\\n"; - } - - $http_inspect_servers .= "\tserver_flow_depth {$v['server_flow_depth']} \\\n"; - $http_inspect_servers .= "\tclient_flow_depth {$v['client_flow_depth']} \\\n"; - $http_inspect_servers .= "\thttp_methods { GET POST PUT SEARCH MKCOL COPY MOVE LOCK UNLOCK NOTIFY POLL BCOPY BDELETE BMOVE LINK UNLINK OPTIONS HEAD DELETE TRACE TRACK CONNECT SOURCE SUBSCRIBE UNSUBSCRIBE PROPFIND PROPPATCH BPROPFIND BPROPPATCH RPC_CONNECT PROXY_SUCCESS BITS_POST CCM_POST SMS_POST RPC_IN_DATA RPC_OUT_DATA RPC_ECHO_DATA } \\\n"; - $http_inspect_servers .= "\tpost_depth {$v['post_depth']} \\\n"; - $http_inspect_servers .= "\tmax_headers {$v['max_headers']} \\\n"; - $http_inspect_servers .= "\tmax_header_length {$v['max_header_length']} \\\n"; - $http_inspect_servers .= "\tmax_spaces {$v['max_spaces']}"; - if ($v['enable_xff'] == "on") - $http_inspect_servers .= " \\\n\tenable_xff"; - if ($v['enable_cookie'] == "on") - $http_inspect_servers .= " \\\n\tenable_cookie"; - if ($v['normalize_cookies'] == "on") - $http_inspect_servers .= " \\\n\tnormalize_cookies"; - if ($v['normalize_headers'] == "on") - $http_inspect_servers .= " \\\n\tnormalize_headers"; - if ($v['normalize_utf'] == "on") - $http_inspect_servers .= " \\\n\tnormalize_utf"; - if ($v['allow_proxy_use'] == "on") - $http_inspect_servers .= " \\\n\tallow_proxy_use"; - if ($v['inspect_uri_only'] == "on") - $http_inspect_servers .= " \\\n\tinspect_uri_only"; - if ($v['extended_response_inspection'] == "on") { - $http_inspect_servers .= " \\\n\textended_response_inspection"; - if ($v['inspect_gzip'] == "on") { - $http_inspect_servers .= " \\\n\tinspect_gzip"; - if ($v['unlimited_decompress'] == "on") - $http_inspect_servers .= " \\\n\tunlimited_decompress"; - } - if ($v['normalize_javascript'] == "on") { - $http_inspect_servers .= " \\\n\tnormalize_javascript"; - $http_inspect_servers .= " \\\n\tmax_javascript_whitespaces {$v['max_javascript_whitespaces']}"; - } - } - if ($v['log_uri'] == "on") - $http_inspect_servers .= " \\\n\tlog_uri"; - if ($v['log_hostname'] == "on") - $http_inspect_servers .= " \\\n\tlog_hostname"; - - // Add a pair of trailing newlines to terminate this server config - $http_inspect_servers .= "\n\n"; - } - /* Trim off the final trailing newline */ - $http_inspect_server = rtrim($http_inspect_server); - } - - // Finally, build the Snort configuration file - $snort_conf_text = << \ No newline at end of file diff --git a/config/snort/snort.xml b/config/snort/snort.xml index 977db98a..d9bc0ee6 100755 --- a/config/snort/snort.xml +++ b/config/snort/snort.xml @@ -46,8 +46,8 @@ None Currently there are no FAQ items provided. Snort - 2.9.6.0 - Services:2.9.6.0 pkg v3.0.13 + 2.9.6.2 + Services:2.9.6.2 pkg v3.1 /usr/local/pkg/snort/snort.inc Snort @@ -74,12 +74,17 @@ https://packages.pfsense.org/packages/config/snort/snort_check_cron_misc.inc - /usr/local/www/snort/ + /usr/local/pkg/snort/ + 077 + https://packages.pfsense.org/packages/config/snort/snort_conf_template.inc + + + /usr/local/pkg/snort/ 077 https://packages.pfsense.org/packages/config/snort/snort_migrate_config.php - /usr/local/www/snort/ + /usr/local/pkg/snort/ 077 https://packages.pfsense.org/packages/config/snort/snort_post_install.php @@ -119,7 +124,7 @@ https://packages.pfsense.org/packages/config/snort/snort_download_updates.php - /usr/local/www/snort/ + /usr/local/pkg/snort/ 077 https://packages.pfsense.org/packages/config/snort/snort_check_for_rule_updates.php @@ -248,6 +253,11 @@ 077 https://packages.pfsense.org/packages/config/snort/snort_iprep_list_browser.php + + /usr/local/pkg/snort/ + 077 + https://packages.pfsense.org/packages/config/snort/snort_generate_conf.php + /usr/local/www/widgets/javascript/ 0644 @@ -269,13 +279,13 @@ diff --git a/config/snort/snort_alerts.php b/config/snort/snort_alerts.php index 45443ec2..1c9d8492 100755 --- a/config/snort/snort_alerts.php +++ b/config/snort/snort_alerts.php @@ -283,7 +283,9 @@ if ($_POST['togglesid'] && is_numeric($_POST['sidid']) && is_numeric($_POST['gen /* rules for this interface. */ /*************************************************/ $rebuild_rules = true; + conf_mount_rw(); snort_generate_conf($a_instance[$instanceid]); + conf_mount_ro(); $rebuild_rules = false; /* Soft-restart Snort to live-load the new rules */ diff --git a/config/snort/snort_blocked.php b/config/snort/snort_blocked.php index 76d5a9df..97301a0f 100644 --- a/config/snort/snort_blocked.php +++ b/config/snort/snort_blocked.php @@ -185,7 +185,7 @@ if ($savemsg) { "/>     " - onClick="return confirm('');"/>  + onClick="return confirm('');"/>    diff --git a/config/snort/snort_check_cron_misc.inc b/config/snort/snort_check_cron_misc.inc index a5b9e65e..9a1c7833 100644 --- a/config/snort/snort_check_cron_misc.inc +++ b/config/snort/snort_check_cron_misc.inc @@ -116,7 +116,7 @@ foreach ($config['installedpackages']['snortglobal']['rule'] as $value) { } unset($files); if ($prune_count > 0) - log_error(gettext("[Snort] Barnyard2 archived logs cleanup job removed {$prune_count} file(s)...")); + log_error(gettext("[Snort] Barnyard2 archived logs cleanup job removed {$prune_count} file(s) from {$snort_log_dir}/barnyard2/archive/...")); } } diff --git a/config/snort/snort_check_for_rule_updates.php b/config/snort/snort_check_for_rule_updates.php index 667f4044..7e93366a 100755 --- a/config/snort/snort_check_for_rule_updates.php +++ b/config/snort/snort_check_for_rule_updates.php @@ -37,7 +37,9 @@ require_once "/usr/local/pkg/snort/snort.inc"; global $g, $config, $pkg_interface, $snort_gui_include, $rebuild_rules; if (!defined("VRT_DNLD_URL")) - define("VRT_DNLD_URL", "https://www.snort.org/reg-rules/"); + define("VRT_DNLD_URL", "https://www.snort.org/rules/"); +if (!defined("SNORT_BIN_VERSION")) + define("SNORT_BIN_VERSION", "2.9.6.1"); if (!defined("ET_VERSION")) define("ET_VERSION", "2.9.0"); if (!defined("ET_BASE_DNLD_URL")) @@ -98,7 +100,7 @@ exec("/usr/local/bin/snort -V 2>&1 |/usr/bin/grep Version | /usr/bin/cut -c20-26 // Save the version with decimal delimiters for use in extracting the rules $snort_version = $snortver[0]; if (empty($snort_version)) - $snort_version = "2.9.6.0"; + $snort_version = SNORT_BIN_VERSION; // Create a collapsed version string for use in the tarball filename $snortver[0] = str_replace(".", "", $snortver[0]); @@ -431,10 +433,10 @@ $update_errors = false; /* Check for and download any new Snort VRT sigs */ if ($snortdownload == 'on') { - if (snort_check_rule_md5("{$snort_rule_url}{$snort_filename_md5}/{$oinkid}/", "{$tmpfname}/{$snort_filename_md5}", "Snort VRT rules")) { + if (snort_check_rule_md5("{$snort_rule_url}{$snort_filename_md5}?oinkcode={$oinkid}", "{$tmpfname}/{$snort_filename_md5}", "Snort VRT rules")) { /* download snortrules file */ $file_md5 = trim(file_get_contents("{$tmpfname}/{$snort_filename_md5}")); - if (!snort_fetch_new_rules("{$snort_rule_url}{$snort_filename}/{$oinkid}/", "{$tmpfname}/{$snort_filename}", $file_md5, "Snort VRT rules")) + if (!snort_fetch_new_rules("{$snort_rule_url}{$snort_filename}?oinkcode={$oinkid}", "{$tmpfname}/{$snort_filename}", $file_md5, "Snort VRT rules")) $snortdownload = 'off'; } else diff --git a/config/snort/snort_conf_template.inc b/config/snort/snort_conf_template.inc new file mode 100644 index 00000000..be4791af --- /dev/null +++ b/config/snort/snort_conf_template.inc @@ -0,0 +1,112 @@ + + diff --git a/config/snort/snort_define_servers.php b/config/snort/snort_define_servers.php index 4d1b3c2e..98a98fd9 100755 --- a/config/snort/snort_define_servers.php +++ b/config/snort/snort_define_servers.php @@ -138,7 +138,9 @@ if ($_POST['save']) { /* Update the snort conf file for this interface. */ $rebuild_rules = false; + conf_mount_rw(); snort_generate_conf($a_nat[$id]); + conf_mount_ro(); /* Soft-restart Snort to live-load new variables. */ snort_reload_config($a_nat[$id]); diff --git a/config/snort/snort_download_rules.php b/config/snort/snort_download_rules.php index f35341f1..0fa20e08 100755 --- a/config/snort/snort_download_rules.php +++ b/config/snort/snort_download_rules.php @@ -43,7 +43,6 @@ include("head.inc"); -' . $pgtitle . '

';}?>
@@ -91,7 +90,7 @@ include("head.inc"); document.progressbar.style.visibility='hidden';\n"; diff --git a/config/snort/snort_download_updates.php b/config/snort/snort_download_updates.php index ecc1e5b5..7f8bc7a1 100755 --- a/config/snort/snort_download_updates.php +++ b/config/snort/snort_download_updates.php @@ -47,7 +47,7 @@ $snort_rules_upd_log = RULES_UPD_LOGFILE; $snortver = array(); exec("/usr/local/bin/snort -V 2>&1 |/usr/bin/grep Version | /usr/bin/cut -c20-26", $snortver); if (empty($snortver[0])) - $snortver[0] = "2.9.5.5"; + $snortver[0] = SNORT_BIN_VERSION; $snortver[0] = str_replace(".", "", $snortver[0]); $snort_rules_file = "snortrules-snapshot-{$snortver[0]}.tar.gz"; diff --git a/config/snort/snort_edit_hat_data.php b/config/snort/snort_edit_hat_data.php index a5ec0aad..04be18e7 100644 --- a/config/snort/snort_edit_hat_data.php +++ b/config/snort/snort_edit_hat_data.php @@ -68,7 +68,9 @@ if ($_POST['clear']) { $a_nat[$id]['host_attribute_table'] = 'off'; write_config("Snort pkg: cleared Host Attribute Table data for {$a_nat[$id]['interface']}."); $rebuild_rules = false; + conf_mount_rw(); snort_generate_conf($a_nat[$id]); + conf_mount_ro(); $pconfig['host_attribute_data'] = ""; } @@ -80,7 +82,9 @@ if ($_POST['save']) { $a_nat[$id]['host_attribute_table'] = 'off'; write_config("Snort pkg: modified Host Attribute Table data for {$a_nat[$id]['interface']}."); $rebuild_rules = false; + conf_mount_rw(); snort_generate_conf($a_nat[$id]); + conf_mount_ro(); $pconfig['host_attribute_data'] = $_POST['host_attribute_data']; } diff --git a/config/snort/snort_generate_conf.php b/config/snort/snort_generate_conf.php new file mode 100644 index 00000000..c67ab3d6 --- /dev/null +++ b/config/snort/snort_generate_conf.php @@ -0,0 +1,1351 @@ + "{$snortlibdir}/dynamicrules", + "dynamicengine" => "{$snortlibdir}/dynamicengine", + "dynamicpreprocessor" => "{$snortcfgdir}/dynamicpreprocessor" +); +foreach ($snort_dirs as $dir) { + if (!is_dir($dir)) + safe_mkdir($dir); +} + +/********************************************************************/ +/* For fail-safe on an initial startup following installation, and */ +/* before a rules update has occurred, copy the default config */ +/* files to the interface directory. If files already exist in */ +/* the interface directory, or they are newer, that means a rule */ +/* update has been done and we should leave the customized files */ +/* put in place by the rules update process. */ +/********************************************************************/ +$snort_files = array("gen-msg.map", "classification.config", "reference.config", "attribute_table.dtd", + "sid-msg.map", "unicode.map", "threshold.conf", "preproc_rules/preprocessor.rules", + "preproc_rules/decoder.rules", "preproc_rules/sensitive-data.rules" + ); +foreach ($snort_files as $file) { + if (file_exists("{$snortdir}/{$file}")) { + $ftime = filemtime("{$snortdir}/{$file}"); + if (!file_exists("{$snortcfgdir}/{$file}") || ($ftime > filemtime("{$snortcfgdir}/{$file}"))) + @copy("{$snortdir}/{$file}", "{$snortcfgdir}/{$file}"); + } +} + +/* define alertsystemlog */ +$alertsystemlog_type = ""; +if ($snortcfg['alertsystemlog'] == "on") + $alertsystemlog_type = "output alert_syslog: log_alert"; + +/* define snortunifiedlog */ +$snortunifiedlog_type = ""; +if ($snortcfg['barnyard_enable'] == "on") { + if (isset($snortcfg['unified2_log_limit'])) + $u2_log_limit = "limit {$snortcfg['unified2_log_limit']}"; + else + $u2_log_limit = "limit 128"; + + $snortunifiedlog_type = "output unified2: filename snort_{$snort_uuid}_{$if_real}.u2, {$u2_log_limit}"; + if ($snortcfg['barnyard_log_vlan_events'] == 'on') + $snortunifiedlog_type .= ", vlan_event_types"; + if ($snortcfg['barnyard_log_mpls_events'] == 'on') + $snortunifiedlog_type .= ", mpls_event_types"; +} + +/* define spoink */ +$spoink_type = ""; +if ($snortcfg['blockoffenders7'] == "on") { + $pfkill = ""; + if ($snortcfg['blockoffenderskill'] == "on") + $pfkill = "kill"; + $spoink_wlist = snort_build_list($snortcfg, $snortcfg['whitelistname'], true); + /* write Pass List */ + @file_put_contents("{$snortcfgdir}/{$snortcfg['whitelistname']}", implode("\n", $spoink_wlist)); + $spoink_type = "output alert_pf: {$snortcfgdir}/{$snortcfg['whitelistname']},snort2c,{$snortcfg['blockoffendersip']},{$pfkill}"; +} + +/* define selected suppress file */ +$suppress_file_name = ""; +$suppress = snort_find_list($snortcfg['suppresslistname'], 'suppress'); +if (!empty($suppress)) { + $suppress_data = str_replace("\r", "", base64_decode($suppress['suppresspassthru'])); + @file_put_contents("{$snortcfgdir}/supp{$snortcfg['suppresslistname']}", $suppress_data); + $suppress_file_name = "include {$snortcfgdir}/supp{$snortcfg['suppresslistname']}"; +} + +/* set the snort performance model */ +$snort_performance = "ac-bnfa"; +if(!empty($snortcfg['performance'])) + $snort_performance = $snortcfg['performance']; + +/* if user has defined a custom ssh port, use it */ +if(is_array($config['system']['ssh']) && isset($config['system']['ssh']['port'])) + $ssh_port = $config['system']['ssh']['port']; +else + $ssh_port = "22"; + +/* Define an array of default values for the various preprocessor ports */ +$snort_ports = array( + "dns_ports" => "53", "smtp_ports" => "25", "mail_ports" => "25,465,587,691", + "http_ports" => "36,80,81,82,83,84,85,86,87,88,89,90,311,383,591,593,631,901,1220,1414,1533,1741,1830,2301,2381,2809,3037,3057,3128,3443,3702,4343,4848,5250,6080,6988,7000,7001,7144,7145,7510,7777,7779,8000,8008,8014,8028,8080,8081,8082,8085,8088,8090,8118,8123,8180,8181,8222,8243,8280,8300,8500,8800,8888,8899,9000,9060,9080,9090,9091,9443,9999,10000,11371,15489,29991,33300,34412,34443,34444,41080,44440,50000,50002,51423,55555,56712", + "oracle_ports" => "1024:", "mssql_ports" => "1433", "telnet_ports" => "23", + "snmp_ports" => "161", "ftp_ports" => "21,2100,3535", "ssh_ports" => $ssh_port, + "pop2_ports" => "109", "pop3_ports" => "110", "imap_ports" => "143", + "sip_ports" => "5060,5061,5600", "auth_ports" => "113", "finger_ports" => "79", + "irc_ports" => "6665,6666,6667,6668,6669,7000", "smb_ports" => "139,445", + "nntp_ports" => "119", "rlogin_ports" => "513", "rsh_ports" => "514", + "ssl_ports" => "443,465,563,636,989,992,993,994,995,7801,7802,7900,7901,7902,7903,7904,7905,7906,7907,7908,7909,7910,7911,7912,7913,7914,7915,7916,7917,7918,7919,7920", + "file_data_ports" => "\$HTTP_PORTS,110,143", "shellcode_ports" => "!80", + "sun_rpc_ports" => "111,32770,32771,32772,32773,32774,32775,32776,32777,32778,32779", + "DCERPC_NCACN_IP_TCP" => "139,445", "DCERPC_NCADG_IP_UDP" => "138,1024:", + "DCERPC_NCACN_IP_LONG" => "135,139,445,593,1024:", "DCERPC_NCACN_UDP_LONG" => "135,1024:", + "DCERPC_NCACN_UDP_SHORT" => "135,593,1024:", "DCERPC_NCACN_TCP" => "2103,2105,2107", + "DCERPC_BRIGHTSTORE" => "6503,6504", "DNP3_PORTS" => "20000", "MODBUS_PORTS" => "502", + "GTP_PORTS" => "2123,2152,3386" +); + +/* Check for defined Aliases that may override default port settings as we build the portvars array */ +$portvardef = ""; +foreach ($snort_ports as $alias => $avalue) { + if (!empty($snortcfg["def_{$alias}"]) && is_alias($snortcfg["def_{$alias}"])) + $snort_ports[$alias] = trim(filter_expand_alias($snortcfg["def_{$alias}"])); + $snort_ports[$alias] = preg_replace('/\s+/', ',', trim($snort_ports[$alias])); + $portvardef .= "portvar " . strtoupper($alias) . " [" . $snort_ports[$alias] . "]\n"; +} + +/* Define the default ports for the Stream5 preprocessor (formatted for easier reading in the snort.conf file) */ +$stream5_ports_client = "21 22 23 25 42 53 70 79 109 110 111 113 119 135 136 137 \\\n"; +$stream5_ports_client .= "\t 139 143 161 445 513 514 587 593 691 1433 1521 1741 \\\n"; +$stream5_ports_client .= "\t 2100 3306 6070 6665 6666 6667 6668 6669 7000 8181 \\\n"; +$stream5_ports_client .= "\t 32770 32771 32772 32773 32774 32775 32776 32777 \\\n"; +$stream5_ports_client .= "\t 32778 32779"; +$stream5_ports_both = "80 81 82 83 84 85 86 87 88 89 90 110 311 383 443 465 563 \\\n"; +$stream5_ports_both .= "\t 591 593 631 636 901 989 992 993 994 995 1220 1414 1533 \\\n"; +$stream5_ports_both .= "\t 1830 2301 2381 2809 3037 3057 3128 3443 3702 4343 4848 \\\n"; +$stream5_ports_both .= "\t 5250 6080 6988 7907 7000 7001 7144 7145 7510 7802 7777 \\\n"; +$stream5_ports_both .= "\t 7779 7801 7900 7901 7902 7903 7904 7905 7906 7908 7909 \\\n"; +$stream5_ports_both .= "\t 7910 7911 7912 7913 7914 7915 7916 7917 7918 7919 7920 \\\n"; +$stream5_ports_both .= "\t 8000 8008 8014 8028 8080 8081 8082 8085 8088 8090 8118 \\\n"; +$stream5_ports_both .= "\t 8123 8180 8222 8243 8280 8300 8500 8800 8888 8899 9000 \\\n"; +$stream5_ports_both .= "\t 9060 9080 9090 9091 9443 9999 10000 11371 15489 29991 \\\n"; +$stream5_ports_both .= "\t 33300 34412 34443 34444 41080 44440 50000 50002 51423 \\\n"; +$stream5_ports_both .= "\t 55555 56712"; + +/*********************/ +/* preprocessor code */ +/*********************/ + +/* def perform_stat */ + +$perform_stat = << '0') { + $ftp_telnet_protocol .= " \\\n\tayt_attack_thresh "; + if ($snortcfg['ftp_telnet_ayt_attack_threshold'] != "") + $ftp_telnet_protocol .= $snortcfg['ftp_telnet_ayt_attack_threshold']; + else + $ftp_telnet_protocol .= "20"; +} + +// Setup the standard FTP commands used for all FTP Server engines +$ftp_cmds = << \ + cmd_validity EPSV < [ { char 12 | char A char L char L } ] > \ + cmd_validity MACB < string > \ + cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \ + cmd_validity MODE < char ASBCZ > \ + cmd_validity PORT < host_port > \ + cmd_validity PROT < char CSEP > \ + cmd_validity STRU < char FRPO [ string ] > \ + cmd_validity TYPE < { char AE [ char NTC ] | char I | char L [ number ] } > + +EOD; + +// Configure all the FTP_Telnet FTP protocol options +// Iterate and configure the FTP Client engines +$ftp_default_client_engine = array( "name" => "default", "bind_to" => "all", "max_resp_len" => 256, + "telnet_cmds" => "no", "ignore_telnet_erase_cmds" => "yes", + "bounce" => "yes", "bounce_to_net" => "", "bounce_to_port" => "" ); + +if (!is_array($snortcfg['ftp_client_engine']['item'])) + $snortcfg['ftp_client_engine']['item'] = array(); + +// If no FTP client engine is configured, use the default +// to keep from breaking Snort. +if (empty($snortcfg['ftp_client_engine']['item'])) + $snortcfg['ftp_client_engine']['item'][] = $ftp_default_client_engine; +$ftp_client_engine = ""; + +foreach ($snortcfg['ftp_client_engine']['item'] as $f => $v) { + $buffer = "preprocessor ftp_telnet_protocol: ftp client "; + if ($v['name'] == "default" && $v['bind_to'] == "all") + $buffer .= "default \\\n"; + elseif (is_alias($v['bind_to'])) { + $tmp = trim(filter_expand_alias($v['bind_to'])); + if (!empty($tmp)) { + $tmp = preg_replace('/\s+/', ' ', $tmp); + $buffer .= "{$tmp} \\\n"; + } + else { + log_error("[snort] ERROR: unable to resolve IP Address Alias '{$v['bind_to']}' for FTP client '{$v['name']}' ... skipping entry."); + continue; + } + } + else { + log_error("[snort] ERROR: unable to resolve IP Address Alias '{$v['bind_to']}' for FTP client '{$v['name']}' ... skipping entry."); + continue; + } + + if ($v['max_resp_len'] == "") + $buffer .= "\tmax_resp_len 256 \\\n"; + else + $buffer .= "\tmax_resp_len {$v['max_resp_len']} \\\n"; + + $buffer .= "\ttelnet_cmds {$v['telnet_cmds']} \\\n"; + $buffer .= "\tignore_telnet_erase_cmds {$v['ignore_telnet_erase_cmds']} \\\n"; + + if ($v['bounce'] == "yes") { + if (is_alias($v['bounce_to_net']) && is_alias($v['bounce_to_port'])) { + $net = trim(filter_expand_alias($v['bounce_to_net'])); + $port = trim(filter_expand_alias($v['bounce_to_port'])); + if (!empty($net) && !empty($port) && + snort_is_single_addr_alias($v['bounce_to_net']) && + (is_port($port) || is_portrange($port))) { + $port = preg_replace('/\s+/', ',', $port); + // Change port range delimiter to comma for ftp_telnet client preprocessor + if (is_portrange($port)) + $port = str_replace(":", ",", $port); + $buffer .= "\tbounce yes \\\n"; + $buffer .= "\tbounce_to { {$net},{$port} }\n"; + } + else { + // One or both of the BOUNCE_TO alias values is not right, + // so figure out which and log an appropriate error. + if (empty($net) || !snort_is_single_addr_alias($v['bounce_to_net'])) + log_error("[snort] ERROR: illegal value for bounce_to Address Alias [{$v['bounce_to_net']}] for FTP client engine [{$v['name']}] ... omitting 'bounce_to' option for this client engine."); + if (empty($port) || !(is_port($port) || is_portrange($port))) + log_error("[snort] ERROR: illegal value for bounce_to Port Alias [{$v['bounce_to_port']}] for FTP client engine [{$v['name']}] ... omitting 'bounce_to' option for this client engine."); + $buffer .= "\tbounce yes\n"; + } + } + else + $buffer .= "\tbounce yes\n"; + } + else + $buffer .= "\tbounce no\n"; + + // Add this FTP client engine to the master string + $ftp_client_engine .= "{$buffer}\n"; +} +// Trim final trailing newline +rtrim($ftp_client_engine); + +// Iterate and configure the FTP Server engines +$ftp_default_server_engine = array( "name" => "default", "bind_to" => "all", "ports" => "default", + "telnet_cmds" => "no", "ignore_telnet_erase_cmds" => "yes", + "ignore_data_chan" => "no", "def_max_param_len" => 100 ); + +if (!is_array($snortcfg['ftp_server_engine']['item'])) + $snortcfg['ftp_server_engine']['item'] = array(); + +// If no FTP server engine is configured, use the default +// to keep from breaking Snort. +if (empty($snortcfg['ftp_server_engine']['item'])) + $snortcfg['ftp_server_engine']['item'][] = $ftp_default_server_engine; +$ftp_server_engine = ""; + +foreach ($snortcfg['ftp_server_engine']['item'] as $f => $v) { + $buffer = "preprocessor ftp_telnet_protocol: ftp server "; + if ($v['name'] == "default" && $v['bind_to'] == "all") + $buffer .= "default \\\n"; + elseif (is_alias($v['bind_to'])) { + $tmp = trim(filter_expand_alias($v['bind_to'])); + if (!empty($tmp)) { + $tmp = preg_replace('/\s+/', ' ', $tmp); + $buffer .= "{$tmp} \\\n"; + } + else { + log_error("[snort] ERROR: unable to resolve IP Address Alias '{$v['bind_to']}' for FTP server '{$v['name']}' ... skipping entry."); + continue; + } + } + else { + log_error("[snort] ERROR: unable to resolve IP Address Alias '{$v['bind_to']}' for FTP server '{$v['name']}' ... skipping entry."); + continue; + } + + if ($v['def_max_param_len'] == "") + $buffer .= "\tdef_max_param_len 100 \\\n"; + elseif ($v['def_max_param_len'] <> '0') + $buffer .= "\tdef_max_param_len {$v['def_max_param_len']} \\\n"; + + if ($v['ports'] == "default" || !is_alias($v['ports']) || empty($v['ports'])) + $buffer .= "\tports { {$ftp_ports} } \\\n"; + elseif (is_alias($v['ports'])) { + $tmp = trim(filter_expand_alias($v['ports'])); + if (!empty($tmp)) { + $tmp = preg_replace('/\s+/', ' ', $tmp); + $tmp = snort_expand_port_range($tmp, ' '); + $buffer .= "\tports { {$tmp} } \\\n"; + } + else { + log_error("[snort] ERROR: unable to resolve Port Alias '{$v['ports']}' for FTP server '{$v['name']}' ... reverting to defaults."); + $buffer .= "\tports { {$ftp_ports} } \\\n"; + } + } + + $buffer .= "\ttelnet_cmds {$v['telnet_cmds']} \\\n"; + $buffer .= "\tignore_telnet_erase_cmds {$v['ignore_telnet_erase_cmds']} \\\n"; + if ($v['ignore_data_chan'] == "yes") + $buffer .= "\tignore_data_chan yes \\\n"; + $buffer .= "{$ftp_cmds}\n"; + + // Add this FTP server engine to the master string + $ftp_server_engine .= $buffer; +} +// Remove trailing newlines +rtrim($ftp_server_engine); + + $ftp_preprocessor = << "\$HOME_NET", "smtp_servers" => "\$HOME_NET", "http_servers" => "\$HOME_NET", + "www_servers" => "\$HOME_NET", "sql_servers" => "\$HOME_NET", "telnet_servers" => "\$HOME_NET", + "snmp_servers" => "\$HOME_NET", "ftp_servers" => "\$HOME_NET", "ssh_servers" => "\$HOME_NET", + "pop_servers" => "\$HOME_NET", "imap_servers" => "\$HOME_NET", "sip_proxy_ip" => "\$HOME_NET", + "sip_servers" => "\$HOME_NET", "rpc_servers" => "\$HOME_NET", "dnp3_server" => "\$HOME_NET", + "dnp3_client" => "\$HOME_NET", "modbus_server" => "\$HOME_NET", "modbus_client" => "\$HOME_NET", + "enip_server" => "\$HOME_NET", "enip_client" => "\$HOME_NET", + "aim_servers" => "64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24" + ); + +// Change old name from "var" to new name of "ipvar" for IP variables because +// Snort is deprecating the old "var" name in newer versions. +$ipvardef = ""; +foreach ($snort_servers as $alias => $avalue) { + if (!empty($snortcfg["def_{$alias}"]) && is_alias($snortcfg["def_{$alias}"])) { + $avalue = trim(filter_expand_alias($snortcfg["def_{$alias}"])); + $avalue = preg_replace('/\s+/', ',', trim($avalue)); + } + $ipvardef .= "ipvar " . strtoupper($alias) . " [{$avalue}]\n"; +} + +$snort_preproc_libs = array( + "dce_rpc_2" => "dce2_preproc", "dns_preprocessor" => "dns_preproc", "ftp_preprocessor" => "ftptelnet_preproc", "imap_preproc" => "imap_preproc", + "pop_preproc" => "pop_preproc", "reputation_preproc" => "reputation_preproc", "sensitive_data" => "sdf_preproc", + "sip_preproc" => "sip_preproc", "gtp_preproc" => "gtp_preproc", "smtp_preprocessor" => "smtp_preproc", "ssh_preproc" => "ssh_preproc", + "ssl_preproc" => "ssl_preproc", "dnp3_preproc" => "dnp3_preproc", "modbus_preproc" => "modbus_preproc" +); +$snort_preproc = array ( + "perform_stat", "other_preprocs", "ftp_preprocessor", "smtp_preprocessor", "ssl_preproc", "sip_preproc", "gtp_preproc", "ssh_preproc", "sf_portscan", + "dce_rpc_2", "dns_preprocessor", "sensitive_data", "pop_preproc", "imap_preproc", "dnp3_preproc", "modbus_preproc", "reputation_preproc" +); +$default_disabled_preprocs = array( + "sf_portscan", "gtp_preproc", "sensitive_data", "dnp3_preproc", "modbus_preproc", "reputation_preproc", "perform_stat" +); +$snort_preprocessors = ""; +foreach ($snort_preproc as $preproc) { + if ($snortcfg[$preproc] == 'on' || empty($snortcfg[$preproc]) ) { + + /* If preprocessor is not explicitly "on" or "off", then default to "off" if in our default disabled list */ + if (empty($snortcfg[$preproc]) && in_array($preproc, $default_disabled_preprocs)) + continue; + + /* NOTE: The $$ is not a bug. It is an advanced feature of php */ + if (!empty($snort_preproc_libs[$preproc])) { + $preproclib = "libsf_" . $snort_preproc_libs[$preproc]; + if (!file_exists($snort_dirs['dynamicpreprocessor'] . "{$preproclib}.so")) { + if (file_exists("{$snortlibdir}/dynamicpreprocessor/{$preproclib}.so")) { + @copy("{$snortlibdir}/dynamicpreprocessor/{$preproclib}.so", "{$snort_dirs['dynamicpreprocessor']}/{$preproclib}.so"); + $snort_preprocessors .= $$preproc; + $snort_preprocessors .= "\n"; + } else + log_error("Could not find the {$preproclib} file. Snort might error out!"); + } else { + $snort_preprocessors .= $$preproc; + $snort_preprocessors .= "\n"; + } + } else { + $snort_preprocessors .= $$preproc; + $snort_preprocessors .= "\n"; + } + } +} +// Remove final trailing newline +$snort_preprocessors = rtrim($snort_preprocessors); + +$snort_misc_include_rules = ""; +if (file_exists("{$snortcfgdir}/reference.config")) + $snort_misc_include_rules .= "include {$snortcfgdir}/reference.config\n"; +if (file_exists("{$snortcfgdir}/classification.config")) + $snort_misc_include_rules .= "include {$snortcfgdir}/classification.config\n"; +if (!file_exists("{$snortcfgdir}/preproc_rules/decoder.rules") || !file_exists("{$snortcfgdir}/preproc_rules/preprocessor.rules")) { + $snort_misc_include_rules .= "config autogenerate_preprocessor_decoder_rules\n"; + log_error("[Snort] Seems preprocessor and/or decoder rules are missing, enabling autogeneration of them in conf file."); +} + +/* generate rule sections to load */ +/* The files are always configured so the update process is easier */ +$selected_rules_sections = "include \$RULE_PATH/{$snort_enforcing_rules_file}\n"; +$selected_rules_sections .= "include \$RULE_PATH/{$flowbit_rules_file}\n"; +$selected_rules_sections .= "include \$RULE_PATH/custom.rules\n"; + +// Remove trailing newlines +$snort_misc_include_rules = rtrim($snort_misc_include_rules); +$selected_rules_sections = rtrim($selected_rules_sections); + +$cksumcheck = "all"; +if ($snortcfg['cksumcheck'] == 'on') + $cksumcheck = "none"; + +/* Pull in user-configurable detection config options */ +$cfg_detect_settings = "search-method {$snort_performance} max-pattern-len 20 max_queue_events 5"; +if ($snortcfg['fpm_split_any_any'] == "on") + $cfg_detect_settings .= " split-any-any"; +if ($snortcfg['fpm_search_optimize'] == "on") + $cfg_detect_settings .= " search-optimize"; +if ($snortcfg['fpm_no_stream_inserts'] == "on") + $cfg_detect_settings .= " no_stream_inserts"; + +/* Pull in user-configurable options for Frag3 preprocessor settings */ +/* Get global Frag3 options first and put into a string */ +$frag3_global = "preprocessor frag3_global: "; +if (!empty($snortcfg['frag3_memcap']) || $snortcfg['frag3_memcap'] == "0") + $frag3_global .= "memcap {$snortcfg['frag3_memcap']}, "; +else + $frag3_global .= "memcap 4194304, "; +if (!empty($snortcfg['frag3_max_frags'])) + $frag3_global .= "max_frags {$snortcfg['frag3_max_frags']}"; +else + $frag3_global .= "max_frags 8192"; +if ($snortcfg['frag3_detection'] == "off") + $frag3_global .= ", disabled"; + +$frag3_default_tcp_engine = array( "name" => "default", "bind_to" => "all", "policy" => "bsd", + "timeout" => 60, "min_ttl" => 1, "detect_anomalies" => "on", + "overlap_limit" => 0, "min_frag_len" => 0 ); +$frag3_engine = ""; + +// Now iterate configured Frag3 engines and write them to a string if enabled +if ($snortcfg['frag3_detection'] == "on") { + if (!is_array($snortcfg['frag3_engine']['item'])) + $snortcfg['frag3_engine']['item'] = array(); + + // If no frag3 tcp engine is configured, use the default + if (empty($snortcfg['frag3_engine']['item'])) + $snortcfg['frag3_engine']['item'][] = $frag3_default_tcp_engine; + + foreach ($snortcfg['frag3_engine']['item'] as $f => $v) { + $frag3_engine .= "preprocessor frag3_engine: "; + $frag3_engine .= "policy {$v['policy']}"; + if ($v['bind_to'] <> "all") { + $tmp = trim(filter_expand_alias($v['bind_to'])); + if (!empty($tmp)) { + $tmp = preg_replace('/\s+/', ',', $tmp); + if (strpos($tmp, ",") !== false) + $frag3_engine .= " \\\n\tbind_to [{$tmp}]"; + else + $frag3_engine .= " \\\n\tbind_to {$tmp}"; + } + else + log_error("[snort] WARNING: unable to resolve IP List Alias '{$v['bind_to']}' for Frag3 engine '{$v['name']}' ... using 0.0.0.0 failsafe."); + } + $frag3_engine .= " \\\n\ttimeout {$v['timeout']}"; + $frag3_engine .= " \\\n\tmin_ttl {$v['min_ttl']}"; + if ($v['detect_anomalies'] == "on") { + $frag3_engine .= " \\\n\tdetect_anomalies"; + $frag3_engine .= " \\\n\toverlap_limit {$v['overlap_limit']}"; + $frag3_engine .= " \\\n\tmin_fragment_length {$v['min_frag_len']}"; + } + // Add newlines to terminate this engine + $frag3_engine .= "\n\n"; + } + // Remove trailing newline + $frag3_engine = rtrim($frag3_engine); +} + +// Grab any user-customized value for Protocol Aware Flushing (PAF) max PDUs +$paf_max_pdu_config = "config paf_max: "; +if (empty($snortcfg['max_paf']) || $snortcfg['max_paf'] == '0') + $paf_max_pdu_config .= "0"; +else + $paf_max_pdu_config .= $snortcfg['max_paf']; + +// Pull in user-configurable options for Stream5 preprocessor settings +// Get global options first and put into a string +$stream5_global = "preprocessor stream5_global: \\\n"; +if ($snortcfg['stream5_reassembly'] == "off") + $stream5_global .= "\tdisabled, \\\n"; +if ($snortcfg['stream5_track_tcp'] == "off") + $stream5_global .= "\ttrack_tcp no,"; +else { + $stream5_global .= "\ttrack_tcp yes,"; + if (!empty($snortcfg['stream5_max_tcp'])) + $stream5_global .= " \\\n\tmax_tcp {$snortcfg['stream5_max_tcp']},"; + else + $stream5_global .= " \\\n\tmax_tcp 262144,"; +} +if ($snortcfg['stream5_track_udp'] == "off") + $stream5_global .= " \\\n\ttrack_udp no,"; +else { + $stream5_global .= " \\\n\ttrack_udp yes,"; + if (!empty($snortcfg['stream5_max_udp'])) + $stream5_global .= " \\\n\tmax_udp {$snortcfg['stream5_max_udp']},"; + else + $stream5_global .= " \\\n\tmax_udp 131072,"; +} +if ($snortcfg['stream5_track_icmp'] == "on") { + $stream5_global .= " \\\n\ttrack_icmp yes,"; + if (!empty($snortcfg['stream5_max_icmp'])) + $stream5_global .= " \\\n\tmax_icmp {$snortcfg['stream5_max_icmp']},"; + else + $stream5_global .= " \\\n\tmax_icmp 65536,"; +} +else + $stream5_global .= " \\\n\ttrack_icmp no,"; +if (!empty($snortcfg['stream5_mem_cap'])) + $stream5_global .= " \\\n\tmemcap {$snortcfg['stream5_mem_cap']},"; +else + $stream5_global .= " \\\n\tmemcap 8388608,"; + +if (!empty($snortcfg['stream5_prune_log_max']) || $snortcfg['stream5_prune_log_max'] == '0') + $stream5_global .= " \\\n\tprune_log_max {$snortcfg['stream5_prune_log_max']}"; +else + $stream5_global .= " \\\n\tprune_log_max 1048576"; +if ($snortcfg['stream5_flush_on_alert'] == "on") + $stream5_global .= ", \\\n\tflush_on_alert"; + +$stream5_default_tcp_engine = array( "name" => "default", "bind_to" => "all", "policy" => "bsd", "timeout" => 30, + "max_queued_bytes" => 1048576, "detect_anomalies" => "off", "overlap_limit" => 0, + "max_queued_segs" => 2621, "require_3whs" => "off", "startup_3whs_timeout" => 0, + "no_reassemble_async" => "off", "dont_store_lg_pkts" => "off", "max_window" => 0, + "use_static_footprint_sizes" => "off", "check_session_hijacking" => "off", "ports_client" => "default", + "ports_both" => "default", "ports_server" => "none" ); +$stream5_tcp_engine = ""; + +// Now iterate configured Stream5 TCP engines and write them to a string if enabled +if ($snortcfg['stream5_reassembly'] == "on") { + if (!is_array($snortcfg['stream5_tcp_engine']['item'])) + $snortcfg['stream5_tcp_engine']['item'] = array(); + + // If no stream5 tcp engine is configured, use the default + if (empty($snortcfg['stream5_tcp_engine']['item'])) + $snortcfg['stream5_tcp_engine']['item'][] = $stream5_default_tcp_engine; + + foreach ($snortcfg['stream5_tcp_engine']['item'] as $f => $v) { + $buffer = "preprocessor stream5_tcp: "; + $buffer .= "policy {$v['policy']},"; + if ($v['bind_to'] <> "all") { + $tmp = trim(filter_expand_alias($v['bind_to'])); + if (!empty($tmp)) { + $tmp = preg_replace('/\s+/', ',', $tmp); + if (strpos($tmp, ",") !== false) + $buffer .= " \\\n\tbind_to [{$tmp}],"; + else + $buffer .= " \\\n\tbind_to {$tmp},"; + } + else { + log_error("[snort] WARNING: unable to resolve IP Address Alias [{$v['bind_to']}] for Stream5 TCP engine '{$v['name']}' ... skipping this engine."); + continue; + } + } + $stream5_tcp_engine .= $buffer; + $stream5_tcp_engine .= " \\\n\ttimeout {$v['timeout']},"; + $stream5_tcp_engine .= " \\\n\toverlap_limit {$v['overlap_limit']},"; + $stream5_tcp_engine .= " \\\n\tmax_window {$v['max_window']},"; + $stream5_tcp_engine .= " \\\n\tmax_queued_bytes {$v['max_queued_bytes']},"; + $stream5_tcp_engine .= " \\\n\tmax_queued_segs {$v['max_queued_segs']}"; + if ($v['use_static_footprint_sizes'] == "on") + $stream5_tcp_engine .= ", \\\n\tuse_static_footprint_sizes"; + if ($v['check_session_hijacking'] == "on") + $stream5_tcp_engine .= ", \\\n\tcheck_session_hijacking"; + if ($v['dont_store_lg_pkts'] == "on") + $stream5_tcp_engine .= ", \\\n\tdont_store_large_packets"; + if ($v['no_reassemble_async'] == "on") + $stream5_tcp_engine .= ", \\\n\tdont_reassemble_async"; + if ($v['detect_anomalies'] == "on") + $stream5_tcp_engine .= ", \\\n\tdetect_anomalies"; + if ($v['require_3whs'] == "on") + $stream5_tcp_engine .= ", \\\n\trequire_3whs {$v['startup_3whs_timeout']}"; + if (!empty($v['ports_client'])) { + $stream5_tcp_engine .= ", \\\n\tports client"; + if ($v['ports_client'] == " all") + $stream5_tcp_engine .= " all"; + elseif ($v['ports_client'] == "default") + $stream5_tcp_engine .= " {$stream5_ports_client}"; + else { + $tmp = trim(filter_expand_alias($v['ports_client'])); + if (!empty($tmp)) + $stream5_tcp_engine .= " " . trim(preg_replace('/\s+/', ' ', $tmp)); + else { + $stream5_tcp_engine .= " {$stream5_ports_client}"; + log_error("[snort] WARNING: unable to resolve Ports Client Alias [{$v['ports_client']}] for Stream5 TCP engine '{$v['name']}' ... using default value."); + } + } + } + if (!empty($v['ports_both'])) { + $stream5_tcp_engine .= ", \\\n\tports both"; + if ($v['ports_both'] == " all") + $stream5_tcp_engine .= " all"; + elseif ($v['ports_both'] == "default") + $stream5_tcp_engine .= " {$stream5_ports_both}"; + else { + $tmp = trim(filter_expand_alias($v['ports_both'])); + if (!empty($tmp)) + $stream5_tcp_engine .= " " . trim(preg_replace('/\s+/', ' ', $tmp)); + else { + $stream5_tcp_engine .= " {$stream5_ports_both}"; + log_error("[snort] WARNING: unable to resolve Ports Both Alias [{$v['ports_both']}] for Stream5 TCP engine '{$v['name']}' ... using default value."); + } + } + } + if (!empty($v['ports_server']) && $v['ports_server'] <> "none" && $v['ports_server'] <> "default") { + if ($v['ports_server'] == " all") { + $stream5_tcp_engine .= ", \\\n\tports server"; + $stream5_tcp_engine .= " all"; + } + else { + $tmp = trim(filter_expand_alias($v['ports_server'])); + if (!empty($tmp)) { + $stream5_tcp_engine .= ", \\\n\tports server"; + $stream5_tcp_engine .= " " . trim(preg_replace('/\s+/', ' ', $tmp)); + } + else + log_error("[snort] WARNING: unable to resolve Ports Server Alias [{$v['ports_server']}] for Stream5 TCP engine '{$v['name']}' ... defaulting to none."); + } + } + + // Make sure the "ports" parameter is set, or else default to a safe value + if (strpos($stream5_tcp_engine, "ports ") === false) + $stream5_tcp_engine .= ", \\\n\tports both all"; + + // Add a pair of newlines to terminate this engine + $stream5_tcp_engine .= "\n\n"; + } + // Trim off the final trailing newline + $stream5_tcp_engine = rtrim($stream5_tcp_engine); +} + +// Configure the Stream5 UDP engine if it and Stream5 reassembly are enabled +if ($snortcfg['stream5_track_udp'] == "off" || $snortcfg['stream5_reassembly'] == "off") + $stream5_udp_engine = ""; +else { + $stream5_udp_engine = "preprocessor stream5_udp: "; + if (!empty($snortcfg['stream5_udp_timeout'])) + $stream5_udp_engine .= "timeout {$snortcfg['stream5_udp_timeout']}"; + else + $stream5_udp_engine .= "timeout 30"; +} + +// Configure the Stream5 ICMP engine if it and Stream5 reassembly are enabled +if ($snortcfg['stream5_track_icmp'] == "on" && $snortcfg['stream5_reassembly'] == "on") { + $stream5_icmp_engine = "preprocessor stream5_icmp: "; + if (!empty($snortcfg['stream5_icmp_timeout'])) + $stream5_icmp_engine .= "timeout {$snortcfg['stream5_icmp_timeout']}"; + else + $stream5_icmp_engine .= "timeout 30"; +} +else + $stream5_icmp_engine = ""; + +// Check for and configure Host Attribute Table if enabled +$host_attrib_config = ""; +if ($snortcfg['host_attribute_table'] == "on" && !empty($snortcfg['host_attribute_data'])) { + @file_put_contents("{$snortcfgdir}/host_attributes", base64_decode($snortcfg['host_attribute_data'])); + $host_attrib_config = "# Host Attribute Table #\n"; + $host_attrib_config .= "attribute_table filename {$snortcfgdir}/host_attributes\n"; + if (!empty($snortcfg['max_attribute_hosts'])) + $host_attrib_config .= "config max_attribute_hosts: {$snortcfg['max_attribute_hosts']}\n"; + if (!empty($snortcfg['max_attribute_services_per_host'])) + $host_attrib_config .= "config max_attribute_services_per_host: {$snortcfg['max_attribute_services_per_host']}"; +} + +// Configure the HTTP_INSPECT preprocessor +// Get global options first and put into a string +$http_inspect_global = "preprocessor http_inspect: global "; +if ($snortcfg['http_inspect'] == "off") + $http_inspect_global .= "disabled "; +$http_inspect_global .= "\\\n\tiis_unicode_map unicode.map 1252 \\\n"; +$http_inspect_global .= "\tcompress_depth 65535 \\\n"; +$http_inspect_global .= "\tdecompress_depth 65535 \\\n"; +if (!empty($snortcfg['http_inspect_memcap'])) + $http_inspect_global .= "\tmemcap {$snortcfg['http_inspect_memcap']} \\\n"; +else + $http_inspect_global .= "\tmemcap 150994944 \\\n"; +if (!empty($snortcfg['http_inspect_max_gzip_mem'])) + $http_inspect_global .= "\tmax_gzip_mem {$snortcfg['http_inspect_max_gzip_mem']}"; +else + $http_inspect_global .= "\tmax_gzip_mem 838860"; +if ($snortcfg['http_inspect_proxy_alert'] == "on") + $http_inspect_global .= " \\\n\tproxy_alert"; + +$http_inspect_default_engine = array( "name" => "default", "bind_to" => "all", "server_profile" => "all", "enable_xff" => "off", + "log_uri" => "off", "log_hostname" => "off", "server_flow_depth" => 65535, "enable_cookie" => "on", + "client_flow_depth" => 1460, "extended_response_inspection" => "on", "no_alerts" => "off", + "unlimited_decompress" => "on", "inspect_gzip" => "on", "normalize_cookies" =>"on", "normalize_headers" => "on", + "normalize_utf" => "on", "normalize_javascript" => "on", "allow_proxy_use" => "off", "inspect_uri_only" => "off", + "max_javascript_whitespaces" => 200, "post_depth" => -1, "max_headers" => 0, "max_spaces" => 0, + "max_header_length" => 0, "ports" => "default" ); +$http_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['http_ports'])); +$http_inspect_servers = ""; + +// Iterate configured HTTP_INSPECT servers and write them to string if HTTP_INSPECT enabled +if ($snortcfg['http_inspect'] <> "off") { + if (!is_array($snortcfg['http_inspect_engine']['item'])) + $snortcfg['http_inspect_engine']['item'] = array(); + + // If no http_inspect_engine is configured, use the default + if (empty($snortcfg['http_inspect_engine']['item'])) + $snortcfg['http_inspect_engine']['item'][] = $http_inspect_default_engine; + + foreach ($snortcfg['http_inspect_engine']['item'] as $f => $v) { + $buffer = "preprocessor http_inspect_server: \\\n"; + if ($v['name'] == "default") + $buffer .= "\tserver default \\\n"; + elseif (is_alias($v['bind_to'])) { + $tmp = trim(filter_expand_alias($v['bind_to'])); + if (!empty($tmp)) { + $tmp = preg_replace('/\s+/', ' ', $tmp); + $buffer .= "\tserver { {$tmp} } \\\n"; + } + else { + log_error("[snort] WARNING: unable to resolve IP Address Alias [{$v['bind_to']}] for HTTP_INSPECT server '{$v['name']}' ... skipping this server engine."); + continue; + } + } + else { + log_error("[snort] WARNING: unable to resolve IP Address Alias [{$v['bind_to']}] for HTTP_INSPECT server '{$v['name']}' ... skipping this server engine."); + continue; + } + $http_inspect_servers .= $buffer; + $http_inspect_servers .= "\tprofile {$v['server_profile']} \\\n"; + + if ($v['no_alerts'] == "on") + $http_inspect_servers .= "\tno_alerts \\\n"; + + if ($v['ports'] == "default" || empty($v['ports'])) + $http_inspect_servers .= "\tports { {$http_ports} } \\\n"; + elseif (is_alias($v['ports'])) { + $tmp = trim(filter_expand_alias($v['ports'])); + if (!empty($tmp)) { + $tmp = preg_replace('/\s+/', ' ', $tmp); + $tmp = snort_expand_port_range($tmp, ' '); + $http_inspect_servers .= "\tports { {$tmp} } \\\n"; + } + else { + log_error("[snort] WARNING: unable to resolve Ports Alias [{$v['ports']}] for HTTP_INSPECT server '{$v['name']}' ... using safe default instead."); + $http_inspect_servers .= "\tports { {$http_ports} } \\\n"; + } + } + else { + log_error("[snort] WARNING: unable to resolve Ports Alias [{$v['ports']}] for HTTP_INSPECT server '{$v['name']}' ... using safe default instead."); + $http_inspect_servers .= "\tports { {$http_ports} } \\\n"; + } + + $http_inspect_servers .= "\tserver_flow_depth {$v['server_flow_depth']} \\\n"; + $http_inspect_servers .= "\tclient_flow_depth {$v['client_flow_depth']} \\\n"; + $http_inspect_servers .= "\thttp_methods { GET POST PUT SEARCH MKCOL COPY MOVE LOCK UNLOCK NOTIFY POLL BCOPY BDELETE BMOVE LINK UNLINK OPTIONS HEAD DELETE TRACE TRACK CONNECT SOURCE SUBSCRIBE UNSUBSCRIBE PROPFIND PROPPATCH BPROPFIND BPROPPATCH RPC_CONNECT PROXY_SUCCESS BITS_POST CCM_POST SMS_POST RPC_IN_DATA RPC_OUT_DATA RPC_ECHO_DATA } \\\n"; + $http_inspect_servers .= "\tpost_depth {$v['post_depth']} \\\n"; + $http_inspect_servers .= "\tmax_headers {$v['max_headers']} \\\n"; + $http_inspect_servers .= "\tmax_header_length {$v['max_header_length']} \\\n"; + $http_inspect_servers .= "\tmax_spaces {$v['max_spaces']}"; + if ($v['enable_xff'] == "on") + $http_inspect_servers .= " \\\n\tenable_xff"; + if ($v['enable_cookie'] == "on") + $http_inspect_servers .= " \\\n\tenable_cookie"; + if ($v['normalize_cookies'] == "on") + $http_inspect_servers .= " \\\n\tnormalize_cookies"; + if ($v['normalize_headers'] == "on") + $http_inspect_servers .= " \\\n\tnormalize_headers"; + if ($v['normalize_utf'] == "on") + $http_inspect_servers .= " \\\n\tnormalize_utf"; + if ($v['allow_proxy_use'] == "on") + $http_inspect_servers .= " \\\n\tallow_proxy_use"; + if ($v['inspect_uri_only'] == "on") + $http_inspect_servers .= " \\\n\tinspect_uri_only"; + if ($v['extended_response_inspection'] == "on") { + $http_inspect_servers .= " \\\n\textended_response_inspection"; + if ($v['inspect_gzip'] == "on") { + $http_inspect_servers .= " \\\n\tinspect_gzip"; + if ($v['unlimited_decompress'] == "on") + $http_inspect_servers .= " \\\n\tunlimited_decompress"; + } + if ($v['normalize_javascript'] == "on") { + $http_inspect_servers .= " \\\n\tnormalize_javascript"; + $http_inspect_servers .= " \\\n\tmax_javascript_whitespaces {$v['max_javascript_whitespaces']}"; + } + } + if ($v['log_uri'] == "on") + $http_inspect_servers .= " \\\n\tlog_uri"; + if ($v['log_hostname'] == "on") + $http_inspect_servers .= " \\\n\tlog_hostname"; + + // Add a pair of trailing newlines to terminate this server config + $http_inspect_servers .= "\n\n"; + } + /* Trim off the final trailing newline */ + $http_inspect_server = rtrim($http_inspect_server); +} + +?> diff --git a/config/snort/snort_interfaces.php b/config/snort/snort_interfaces.php index c82ec57e..8b2ca2bb 100755 --- a/config/snort/snort_interfaces.php +++ b/config/snort/snort_interfaces.php @@ -45,6 +45,9 @@ $a_nat = &$config['installedpackages']['snortglobal']['rule']; // Calculate the index of the next added Snort interface $id_gen = count($config['installedpackages']['snortglobal']['rule']); +// Get list of configured firewall interfaces +$ifaces = get_configured_interface_list(); + if (isset($_POST['del_x'])) { /* Delete selected Snort interfaces */ if (is_array($_POST['rule'])) { @@ -73,7 +76,7 @@ if (isset($_POST['del_x'])) { snort_create_rc(); else { conf_mount_rw(); - @unlink("{$rcdir}/snort.sh"); + @unlink("{$rcdir}snort.sh"); conf_mount_ro(); } @@ -173,18 +176,33 @@ include_once("fbegin.inc");   - + - - + + - - + +
+ + + + + + + + + + + " + onclick="return intf_del()"> + +
@@ -317,10 +335,20 @@ include_once("fbegin.inc"); - +
+ + + + + + +
@@ -337,14 +365,25 @@ include_once("fbegin.inc"); - + +
- - " - onclick="return intf_del()"> - + + + + + + + + + + + " + onclick="return intf_del()"> + +
diff --git a/config/snort/snort_interfaces_edit.php b/config/snort/snort_interfaces_edit.php index 4c868844..ca8d03ee 100755 --- a/config/snort/snort_interfaces_edit.php +++ b/config/snort/snort_interfaces_edit.php @@ -55,6 +55,13 @@ if (is_null($id)) { exit; } +if (isset($_POST['action'])) + $action = htmlspecialchars($_POST['action'], ENT_QUOTES | ENT_HTML401); +elseif (isset($_GET['action'])) + $action = htmlspecialchars($_GET['action'], ENT_QUOTES | ENT_HTML401); +else + $action = ""; + $pconfig = array(); if (empty($snortglob['rule'][$id]['uuid'])) { /* Adding new interface, so flag rules to build. */ @@ -107,7 +114,36 @@ if (empty($pconfig['blockoffendersip'])) if (empty($pconfig['performance'])) $pconfig['performance'] = "ac-bnfa"; -if ($_POST["save"]) { +// See if creating a new interface by duplicating an existing one +if (strcasecmp($action, 'dup') == 0) { + + // Try to pick the next available physical interface to use + $ifaces = get_configured_interface_list(); + $ifrules = array(); + foreach($a_rule as $r) + $ifrules[] = $r['interface']; + foreach ($ifaces as $i) { + if (!in_array($i, $ifrules)) { + $pconfig['interface'] = $i; + $pconfig['enable'] = 'on'; + $pconfig['descr'] = strtoupper($i); + break; + } + } + if (count($ifrules) == count($ifaces)) { + $input_errors[] = gettext("No more available interfaces to configure for Snort!"); + $interfaces = array(); + $pconfig = array(); + } + + // Set Home Net, External Net, Suppress List and Pass List to defaults + unset($pconfig['suppresslistname']); + unset($pconfig['whitelistname']); + unset($pconfig['homelistname']); + unset($pconfig['externallistname']); +} + +if ($_POST["save"] && !$input_errors) { if (!isset($_POST['interface'])) $input_errors[] = "Interface is mandatory"; @@ -121,6 +157,23 @@ if ($_POST["save"]) { } } + // If Snort is disabled on this interface, stop any running instance, + // save the change, and exit. + if ($_POST['enable'] != 'on') { + $a_rule[$id]['enable'] = $_POST['enable'] ? 'on' : 'off'; + snort_stop($a_rule[$id], get_real_interface($a_rule[$id]['interface'])); + write_config("Snort pkg: modified interface configuration for {$a_rule[$id]['interface']}."); + $rebuild_rules = false; + sync_snort_package_config(); + header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); + header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . ' GMT' ); + header( 'Cache-Control: no-store, no-cache, must-revalidate' ); + header( 'Cache-Control: post-check=0, pre-check=0', false ); + header( 'Pragma: no-cache' ); + header("Location: /snort/snort_interfaces.php"); + exit; + } + /* if no errors write to conf */ if (!$input_errors) { $natent = $a_rule[$id]; @@ -157,7 +210,7 @@ if ($_POST["save"]) { if ($_POST['fpm_no_stream_inserts'] == "on") { $natent['fpm_no_stream_inserts'] = 'on'; }else{ $natent['fpm_no_stream_inserts'] = 'off'; } $if_real = get_real_interface($natent['interface']); - if (isset($id) && $a_rule[$id]) { + if (isset($id) && $a_rule[$id] && $action == '') { // See if moving an existing Snort instance to another physical interface if ($natent['interface'] != $a_rule[$id]['interface']) { $oif_real = get_real_interface($a_rule[$id]['interface']); @@ -173,7 +226,15 @@ if ($_POST["save"]) { conf_mount_ro(); } $a_rule[$id] = $natent; - } else { + } + elseif (strcasecmp($action, 'dup') == 0) { + // Duplicating a new interface, so set flag to build new rules + $rebuild_rules = true; + + // Add the new duplicated interface configuration to the [rule] array in config + $a_rule[] = $natent; + } + else { // Adding new interface, so set required interface configuration defaults $frag3_eng = array( "name" => "default", "bind_to" => "all", "policy" => "bsd", "timeout" => 60, "min_ttl" => 1, "detect_anomalies" => "on", @@ -221,11 +282,35 @@ if ($_POST["save"]) { $natent['ftp_server_engine']['item'][] = $ftp_server_eng; $natent['smtp_preprocessor'] = 'on'; + $natent['smtp_memcap'] = "838860"; + $natent['smtp_max_mime_mem'] = "838860"; + $natent['smtp_b64_decode_depth'] = "0"; + $natent['smtp_qp_decode_depth'] = "0"; + $natent['smtp_bitenc_decode_depth'] = "0"; + $natent['smtp_uu_decode_depth'] = "0"; + $natent['smtp_email_hdrs_log_depth'] = "1464"; + $natent['smtp_ignore_data'] = 'off'; + $natent['smtp_ignore_tls_data'] = 'on'; + $natent['smtp_log_mail_from'] = 'on'; + $natent['smtp_log_rcpt_to'] = 'on'; + $natent['smtp_log_filename'] = 'on'; + $natent['smtp_log_email_hdrs'] = 'on'; + $natent['dce_rpc_2'] = 'on'; $natent['dns_preprocessor'] = 'on'; $natent['ssl_preproc'] = 'on'; $natent['pop_preproc'] = 'on'; + $natent['pop_memcap'] = "838860"; + $natent['pop_b64_decode_depth'] = "0"; + $natent['pop_qp_decode_depth'] = "0"; + $natent['pop_bitenc_decode_depth'] = "0"; + $natent['pop_uu_decode_depth'] = "0"; $natent['imap_preproc'] = 'on'; + $natent['imap_memcap'] = "838860"; + $natent['imap_b64_decode_depth'] = "0"; + $natent['imap_qp_decode_depth'] = "0"; + $natent['imap_bitenc_decode_depth'] = "0"; + $natent['imap_uu_decode_depth'] = "0"; $natent['sip_preproc'] = 'on'; $natent['other_preprocs'] = 'on'; @@ -326,6 +411,7 @@ include_once("head.inc"); + diff --git a/config/snort/snort_ip_reputation.php b/config/snort/snort_ip_reputation.php index 3de8c661..c3536e89 100644 --- a/config/snort/snort_ip_reputation.php +++ b/config/snort/snort_ip_reputation.php @@ -162,7 +162,9 @@ if ($_POST['save'] || $_POST['apply']) { // Update the snort conf file for this interface $rebuild_rules = false; + conf_mount_rw(); snort_generate_conf($a_nat[$id]); + conf_mount_ro(); // Soft-restart Snort to live-load new variables snort_reload_config($a_nat[$id]); diff --git a/config/snort/snort_migrate_config.php b/config/snort/snort_migrate_config.php index d524e9f3..49ab95d5 100644 --- a/config/snort/snort_migrate_config.php +++ b/config/snort/snort_migrate_config.php @@ -357,6 +357,100 @@ foreach ($rule as &$r) { $updated_cfg = true; } + // Migrate new POP3 preprocessor parameter settings + if (empty($pconfig['pop_memcap'])) { + $pconfig['pop_memcap'] = "838860"; + $updated_cfg = true; + } + if (empty($pconfig['pop_b64_decode_depth']) && $pconfig['pop_b64_decode_depth'] != '0') { + $pconfig['pop_b64_decode_depth'] = "0"; + $updated_cfg = true; + } + if (empty($pconfig['pop_qp_decode_depth']) && $pconfig['pop_qp_decode_depth'] != '0') { + $pconfig['pop_qp_decode_depth'] = "0"; + $updated_cfg = true; + } + if (empty($pconfig['pop_bitenc_decode_depth']) && $pconfig['pop_bitenc_decode_depth'] != '0') { + $pconfig['pop_bitenc_decode_depth'] = "0"; + $updated_cfg = true; + } + if (empty($pconfig['pop_uu_decode_depth']) && $pconfig['pop_uu_decode_depth'] != '0') { + $pconfig['pop_uu_decode_depth'] = "0"; + $updated_cfg = true; + } + + // Migrate new IMAP preprocessor parameter settings + if (empty($pconfig['imap_memcap'])) { + $pconfig['imap_memcap'] = "838860"; + $updated_cfg = true; + } + if (empty($pconfig['imap_b64_decode_depth']) && $pconfig['imap_b64_decode_depth'] != '0') { + $pconfig['imap_b64_decode_depth'] = "0"; + $updated_cfg = true; + } + if (empty($pconfig['imap_qp_decode_depth']) && $pconfig['imap_qp_decode_depth'] != '0') { + $pconfig['imap_qp_decode_depth'] = "0"; + $updated_cfg = true; + } + if (empty($pconfig['imap_bitenc_decode_depth']) && $pconfig['imap_bitenc_decode_depth'] != '0') { + $pconfig['imap_bitenc_decode_depth'] = "0"; + $updated_cfg = true; + } + if (empty($pconfig['imap_uu_decode_depth']) && $pconfig['imap_uu_decode_depth'] != '0') { + $pconfig['imap_uu_decode_depth'] = "0"; + $updated_cfg = true; + } + + // Migrate new SMTP preprocessor parameter settings + if (empty($pconfig['smtp_memcap'])) { + $pconfig['smtp_memcap'] = "838860"; + $updated_cfg = true; + } + if (empty($pconfig['smtp_max_mime_mem'])) { + $pconfig['smtp_max_mime_mem'] = "838860"; + $updated_cfg = true; + } + if (empty($pconfig['smtp_b64_decode_depth'])) { + $pconfig['smtp_b64_decode_depth'] = "0"; + $updated_cfg = true; + } + if (empty($pconfig['smtp_qp_decode_depth'])) { + $pconfig['smtp_qp_decode_depth'] = "0"; + $updated_cfg = true; + } + if (empty($pconfig['smtp_bitenc_decode_depth'])) { + $pconfig['smtp_bitenc_decode_depth'] = "0"; + $updated_cfg = true; + } + if (empty($pconfig['smtp_uu_decode_depth'])) { + $pconfig['smtp_uu_decode_depth'] = "0"; + $updated_cfg = true; + } + if (empty($pconfig['smtp_email_hdrs_log_depth']) && $pconfig['smtp_email_hdrs_log_depth'] != '0') { + $pconfig['smtp_email_hdrs_log_depth'] = "1464"; + $updated_cfg = true; + } + if (empty($pconfig['smtp_ignore_tls_data'])) { + $pconfig['smtp_ignore_tls_data'] = 'on'; + $updated_cfg = true; + } + if (empty($pconfig['smtp_log_mail_from'])) { + $pconfig['smtp_log_mail_from'] = 'on'; + $updated_cfg = true; + } + if (empty($pconfig['smtp_log_rcpt_to'])) { + $pconfig['smtp_log_rcpt_to'] = 'on'; + $updated_cfg = true; + } + if (empty($pconfig['smtp_log_filename'])) { + $pconfig['smtp_log_filename'] = 'on'; + $updated_cfg = true; + } + if (empty($pconfig['smtp_log_email_hdrs'])) { + $pconfig['smtp_log_email_hdrs'] = 'on'; + $updated_cfg = true; + } + // Save the new configuration data into the $config array pointer $r = $pconfig; } @@ -365,7 +459,7 @@ unset($r); // Write out the new configuration to disk if we changed anything if ($updated_cfg) { - $config['installedpackages']['snortglobal']['snort_config_ver'] = "3.0.13"; + $config['installedpackages']['snortglobal']['snort_config_ver'] = "3.1"; log_error("[Snort] Saving configuration settings in new format..."); write_config("Snort pkg: migrate existing settings to new format as part of package upgrade."); log_error("[Snort] Settings successfully migrated to new configuration format..."); diff --git a/config/snort/snort_post_install.php b/config/snort/snort_post_install.php index 6b645df5..b36578b8 100644 --- a/config/snort/snort_post_install.php +++ b/config/snort/snort_post_install.php @@ -48,1328 +48,6 @@ $snortdir = SNORTDIR; $snortlibdir = SNORTLIBDIR; $rcdir = RCFILEPREFIX; -// This is a hack to workaround the caching of the old "snort.inc" by the -// Package Manager installation code. We need this new function which is -// in the new snort.inc file during post-installation. -if (!function_exists('snort_expand_port_range')) { - function snort_expand_port_range($ports, $delim = ',') { - // Split the incoming string on the specified delimiter - $tmp = explode($delim, $ports); - - // Look for any included port range and expand it - foreach ($tmp as $val) { - if (is_portrange($val)) { - $start = strtok($val, ":"); - $end = strtok(":"); - if ($end !== false) { - $val = $start . $delim; - for ($i = intval($start) + 1; $i < intval($end); $i++) - $val .= strval($i) . $delim; - $val .= $end; - } - } - $value .= $val . $delim; - } - - // Remove any trailing delimiter in return value - return trim($value, $delim); - } -} - -// This function mirrors the "snort_generate_conf()" function in the -// "snort.inc" file. It is here with a modified name as a workaround -// so that functionality built into the new package version can be -// implemented during installation. During a package reinstall, the -// Package Manager will cache the old version of "snort.inc" and thus -// new features are not available from the new "snort.inc" file in the -// new package. -function snort_build_new_conf($snortcfg) { - - global $config, $g, $rebuild_rules; - - $snortdir = SNORTDIR; - $snortlibdir = SNORTLIBDIR; - $snortlogdir = SNORTLOGDIR; - $flowbit_rules_file = FLOWBITS_FILENAME; - $snort_enforcing_rules_file = ENFORCING_RULES_FILENAME; - - if (!is_array($config['installedpackages']['snortglobal']['rule'])) - return; - - conf_mount_rw(); - - /* See if we should protect and not modify the preprocessor rules files */ - if (!empty($snortcfg['protect_preproc_rules'])) - $protect_preproc_rules = $snortcfg['protect_preproc_rules']; - else - $protect_preproc_rules = "off"; - - $if_real = get_real_interface($snortcfg['interface']); - $snort_uuid = $snortcfg['uuid']; - $snortcfgdir = "{$snortdir}/snort_{$snort_uuid}_{$if_real}"; - - /* custom home nets */ - $home_net_list = snort_build_list($snortcfg, $snortcfg['homelistname']); - $home_net = implode(",", $home_net_list); - - $external_net = '!$HOME_NET'; - if (!empty($snortcfg['externallistname']) && $snortcfg['externallistname'] != 'default') { - $external_net_list = snort_build_list($snortcfg, $snortcfg['externallistname']); - $external_net = implode(",", $external_net_list); - } - - /* user added arguments */ - $snort_config_pass_thru = str_replace("\r", "", base64_decode($snortcfg['configpassthru'])); - // Remove the trailing newline - $snort_config_pass_thru = rtrim($snort_config_pass_thru); - - /* create a few directories and ensure the sample files are in place */ - $snort_dirs = array( $snortdir, $snortcfgdir, "{$snortcfgdir}/rules", - "{$snortlogdir}/snort_{$if_real}{$snort_uuid}", - "{$snortlogdir}/snort_{$if_real}{$snort_uuid}/barnyard2", - "{$snortcfgdir}/preproc_rules", - "dynamicrules" => "{$snortlibdir}/dynamicrules", - "dynamicengine" => "{$snortlibdir}/dynamicengine", - "dynamicpreprocessor" => "{$snortcfgdir}/dynamicpreprocessor" - ); - foreach ($snort_dirs as $dir) { - if (!is_dir($dir)) - safe_mkdir($dir); - } - - /********************************************************************/ - /* For fail-safe on an initial startup following installation, and */ - /* before a rules update has occurred, copy the default config */ - /* files to the interface directory. If files already exist in */ - /* the interface directory, or they are newer, that means a rule */ - /* update has been done and we should leave the customized files */ - /* put in place by the rules update process. */ - /********************************************************************/ - $snort_files = array("gen-msg.map", "classification.config", "reference.config", "attribute_table.dtd", - "sid-msg.map", "unicode.map", "threshold.conf", "preproc_rules/preprocessor.rules", - "preproc_rules/decoder.rules", "preproc_rules/sensitive-data.rules" - ); - foreach ($snort_files as $file) { - if (file_exists("{$snortdir}/{$file}")) { - $ftime = filemtime("{$snortdir}/{$file}"); - if (!file_exists("{$snortcfgdir}/{$file}") || ($ftime > filemtime("{$snortcfgdir}/{$file}"))) - @copy("{$snortdir}/{$file}", "{$snortcfgdir}/{$file}"); - } - } - - /* define alertsystemlog */ - $alertsystemlog_type = ""; - if ($snortcfg['alertsystemlog'] == "on") - $alertsystemlog_type = "output alert_syslog: log_alert"; - - /* define snortunifiedlog */ - $snortunifiedlog_type = ""; - if ($snortcfg['barnyard_enable'] == "on") { - if (isset($snortcfg['unified2_log_limit'])) - $u2_log_limit = "limit {$snortcfg['unified2_log_limit']}"; - else - $u2_log_limit = "limit 128"; - - $snortunifiedlog_type = "output unified2: filename snort_{$snort_uuid}_{$if_real}.u2, {$u2_log_limit}"; - if ($snortcfg['barnyard_log_vlan_events'] == 'on') - $snortunifiedlog_type .= ", vlan_event_types"; - if ($snortcfg['barnyard_log_mpls_events'] == 'on') - $snortunifiedlog_type .= ", mpls_event_types"; - } - - /* define spoink */ - $spoink_type = ""; - if ($snortcfg['blockoffenders7'] == "on") { - $pfkill = ""; - if ($snortcfg['blockoffenderskill'] == "on") - $pfkill = "kill"; - $spoink_wlist = snort_build_list($snortcfg, $snortcfg['whitelistname'], true); - /* write whitelist */ - @file_put_contents("{$snortcfgdir}/{$snortcfg['whitelistname']}", implode("\n", $spoink_wlist)); - $spoink_type = "output alert_pf: {$snortcfgdir}/{$snortcfg['whitelistname']},snort2c,{$snortcfg['blockoffendersip']},{$pfkill}"; - } - - /* define selected suppress file */ - $suppress_file_name = ""; - $suppress = snort_find_list($snortcfg['suppresslistname'], 'suppress'); - if (!empty($suppress)) { - $suppress_data = str_replace("\r", "", base64_decode($suppress['suppresspassthru'])); - @file_put_contents("{$snortcfgdir}/supp{$snortcfg['suppresslistname']}", $suppress_data); - $suppress_file_name = "include {$snortcfgdir}/supp{$snortcfg['suppresslistname']}"; - } - - /* set the snort performance model */ - $snort_performance = "ac-bnfa"; - if(!empty($snortcfg['performance'])) - $snort_performance = $snortcfg['performance']; - - /* if user has defined a custom ssh port, use it */ - if(is_array($config['system']['ssh']) && isset($config['system']['ssh']['port'])) - $ssh_port = $config['system']['ssh']['port']; - else - $ssh_port = "22"; - - /* Define an array of default values for the various preprocessor ports */ - $snort_ports = array( - "dns_ports" => "53", "smtp_ports" => "25", "mail_ports" => "25,465,587,691", - "http_ports" => "36,80,81,82,83,84,85,86,87,88,89,90,311,383,591,593,631,901,1220,1414,1533,1741,1830,2301,2381,2809,3037,3057,3128,3443,3702,4343,4848,5250,6080,6988,7000,7001,7144,7145,7510,7777,7779,8000,8008,8014,8028,8080,8081,8082,8085,8088,8090,8118,8123,8180,8181,8222,8243,8280,8300,8500,8800,8888,8899,9000,9060,9080,9090,9091,9443,9999,10000,11371,15489,29991,33300,34412,34443,34444,41080,44440,50000,50002,51423,55555,56712", - "oracle_ports" => "1024:", "mssql_ports" => "1433", "telnet_ports" => "23", - "snmp_ports" => "161", "ftp_ports" => "21,2100,3535", "ssh_ports" => $ssh_port, - "pop2_ports" => "109", "pop3_ports" => "110", "imap_ports" => "143", - "sip_ports" => "5060,5061,5600", "auth_ports" => "113", "finger_ports" => "79", - "irc_ports" => "6665,6666,6667,6668,6669,7000", "smb_ports" => "139,445", - "nntp_ports" => "119", "rlogin_ports" => "513", "rsh_ports" => "514", - "ssl_ports" => "443,465,563,636,989,992,993,994,995,7801,7802,7900,7901,7902,7903,7904,7905,7906,7907,7908,7909,7910,7911,7912,7913,7914,7915,7916,7917,7918,7919,7920", - "file_data_ports" => "\$HTTP_PORTS,110,143", "shellcode_ports" => "!80", - "sun_rpc_ports" => "111,32770,32771,32772,32773,32774,32775,32776,32777,32778,32779", - "DCERPC_NCACN_IP_TCP" => "139,445", "DCERPC_NCADG_IP_UDP" => "138,1024:", - "DCERPC_NCACN_IP_LONG" => "135,139,445,593,1024:", "DCERPC_NCACN_UDP_LONG" => "135,1024:", - "DCERPC_NCACN_UDP_SHORT" => "135,593,1024:", "DCERPC_NCACN_TCP" => "2103,2105,2107", - "DCERPC_BRIGHTSTORE" => "6503,6504", "DNP3_PORTS" => "20000", "MODBUS_PORTS" => "502", - "GTP_PORTS" => "2123,2152,3386" - ); - - /* Check for defined Aliases that may override default port settings as we build the portvars array */ - $portvardef = ""; - foreach ($snort_ports as $alias => $avalue) { - if (!empty($snortcfg["def_{$alias}"]) && is_alias($snortcfg["def_{$alias}"])) - $snort_ports[$alias] = trim(filter_expand_alias($snortcfg["def_{$alias}"])); - $snort_ports[$alias] = preg_replace('/\s+/', ',', trim($snort_ports[$alias])); - $portvardef .= "portvar " . strtoupper($alias) . " [" . $snort_ports[$alias] . "]\n"; - } - - /* Define the default ports for the Stream5 preprocessor (formatted for easier reading in the snort.conf file) */ - $stream5_ports_client = "21 22 23 25 42 53 70 79 109 110 111 113 119 135 136 137 \\\n"; - $stream5_ports_client .= "\t 139 143 161 445 513 514 587 593 691 1433 1521 1741 \\\n"; - $stream5_ports_client .= "\t 2100 3306 6070 6665 6666 6667 6668 6669 7000 8181 \\\n"; - $stream5_ports_client .= "\t 32770 32771 32772 32773 32774 32775 32776 32777 \\\n"; - $stream5_ports_client .= "\t 32778 32779"; - $stream5_ports_both = "80 81 82 83 84 85 86 87 88 89 90 110 311 383 443 465 563 \\\n"; - $stream5_ports_both .= "\t 591 593 631 636 901 989 992 993 994 995 1220 1414 1533 \\\n"; - $stream5_ports_both .= "\t 1830 2301 2381 2809 3037 3057 3128 3443 3702 4343 4848 \\\n"; - $stream5_ports_both .= "\t 5250 6080 6988 7907 7000 7001 7144 7145 7510 7802 7777 \\\n"; - $stream5_ports_both .= "\t 7779 7801 7900 7901 7902 7903 7904 7905 7906 7908 7909 \\\n"; - $stream5_ports_both .= "\t 7910 7911 7912 7913 7914 7915 7916 7917 7918 7919 7920 \\\n"; - $stream5_ports_both .= "\t 8000 8008 8014 8028 8080 8081 8082 8085 8088 8090 8118 \\\n"; - $stream5_ports_both .= "\t 8123 8180 8222 8243 8280 8300 8500 8800 8888 8899 9000 \\\n"; - $stream5_ports_both .= "\t 9060 9080 9090 9091 9443 9999 10000 11371 15489 29991 \\\n"; - $stream5_ports_both .= "\t 33300 34412 34443 34444 41080 44440 50000 50002 51423 \\\n"; - $stream5_ports_both .= "\t 55555 56712"; - - ///////////////////////////// - /* preprocessor code */ - /* def perform_stat */ - $perform_stat = << '0') { - $ftp_telnet_protocol .= " \\\n\tayt_attack_thresh "; - if ($snortcfg['ftp_telnet_ayt_attack_threshold'] != "") - $ftp_telnet_protocol .= $snortcfg['ftp_telnet_ayt_attack_threshold']; - else - $ftp_telnet_protocol .= "20"; - } - - // Setup the standard FTP commands used for all FTP Server engines - $ftp_cmds = << \ - cmd_validity EPSV < [ { char 12 | char A char L char L } ] > \ - cmd_validity MACB < string > \ - cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \ - cmd_validity MODE < char ASBCZ > \ - cmd_validity PORT < host_port > \ - cmd_validity PROT < char CSEP > \ - cmd_validity STRU < char FRPO [ string ] > \ - cmd_validity TYPE < { char AE [ char NTC ] | char I | char L [ number ] } > - -EOD; - - // Configure all the FTP_Telnet FTP protocol options - // Iterate and configure the FTP Client engines - $ftp_default_client_engine = array( "name" => "default", "bind_to" => "all", "max_resp_len" => 256, - "telnet_cmds" => "no", "ignore_telnet_erase_cmds" => "yes", - "bounce" => "yes", "bounce_to_net" => "", "bounce_to_port" => "" ); - - if (!is_array($snortcfg['ftp_client_engine']['item'])) - $snortcfg['ftp_client_engine']['item'] = array(); - - // If no FTP client engine is configured, use the default - // to keep from breaking Snort. - if (empty($snortcfg['ftp_client_engine']['item'])) - $snortcfg['ftp_client_engine']['item'][] = $ftp_default_client_engine; - $ftp_client_engine = ""; - - foreach ($snortcfg['ftp_client_engine']['item'] as $f => $v) { - $buffer = "preprocessor ftp_telnet_protocol: ftp client "; - if ($v['name'] == "default" && $v['bind_to'] == "all") - $buffer .= "default \\\n"; - elseif (is_alias($v['bind_to'])) { - $tmp = trim(filter_expand_alias($v['bind_to'])); - if (!empty($tmp)) { - $tmp = preg_replace('/\s+/', ' ', $tmp); - $buffer .= "{$tmp} \\\n"; - } - else { - log_error("[snort] ERROR: unable to resolve IP Address Alias '{$v['bind_to']}' for FTP client '{$v['name']}' ... skipping entry."); - continue; - } - } - else { - log_error("[snort] ERROR: unable to resolve IP Address Alias '{$v['bind_to']}' for FTP client '{$v['name']}' ... skipping entry."); - continue; - } - - if ($v['max_resp_len'] == "") - $buffer .= "\tmax_resp_len 256 \\\n"; - else - $buffer .= "\tmax_resp_len {$v['max_resp_len']} \\\n"; - - $buffer .= "\ttelnet_cmds {$v['telnet_cmds']} \\\n"; - $buffer .= "\tignore_telnet_erase_cmds {$v['ignore_telnet_erase_cmds']} \\\n"; - - if ($v['bounce'] == "yes") { - if (is_alias($v['bounce_to_net']) && is_alias($v['bounce_to_port'])) { - $net = trim(filter_expand_alias($v['bounce_to_net'])); - $port = trim(filter_expand_alias($v['bounce_to_port'])); - if (!empty($net) && !empty($port) && - snort_is_single_addr_alias($v['bounce_to_net']) && - (is_port($port) || is_portrange($port))) { - $port = preg_replace('/\s+/', ',', $port); - // Change port range delimiter to comma for ftp_telnet client preprocessor - if (is_portrange($port)) - $port = str_replace(":", ",", $port); - $buffer .= "\tbounce yes \\\n"; - $buffer .= "\tbounce_to { {$net},{$port} }\n"; - } - else { - // One or both of the BOUNCE_TO alias values is not right, - // so figure out which and log an appropriate error. - if (empty($net) || !snort_is_single_addr_alias($v['bounce_to_net'])) - log_error("[snort] ERROR: illegal value for bounce_to Address Alias [{$v['bounce_to_net']}] for FTP client engine [{$v['name']}] ... omitting 'bounce_to' option for this client engine."); - if (empty($port) || !(is_port($port) || is_portrange($port))) - log_error("[snort] ERROR: illegal value for bounce_to Port Alias [{$v['bounce_to_port']}] for FTP client engine [{$v['name']}] ... omitting 'bounce_to' option for this client engine."); - $buffer .= "\tbounce yes\n"; - } - } - else - $buffer .= "\tbounce yes\n"; - } - else - $buffer .= "\tbounce no\n"; - - // Add this FTP client engine to the master string - $ftp_client_engine .= "{$buffer}\n"; - } - // Trim final trailing newline - rtrim($ftp_client_engine); - - // Iterate and configure the FTP Server engines - $ftp_default_server_engine = array( "name" => "default", "bind_to" => "all", "ports" => "default", - "telnet_cmds" => "no", "ignore_telnet_erase_cmds" => "yes", - "ignore_data_chan" => "no", "def_max_param_len" => 100 ); - - if (!is_array($snortcfg['ftp_server_engine']['item'])) - $snortcfg['ftp_server_engine']['item'] = array(); - - // If no FTP server engine is configured, use the default - // to keep from breaking Snort. - if (empty($snortcfg['ftp_server_engine']['item'])) - $snortcfg['ftp_server_engine']['item'][] = $ftp_default_server_engine; - $ftp_server_engine = ""; - - foreach ($snortcfg['ftp_server_engine']['item'] as $f => $v) { - $buffer = "preprocessor ftp_telnet_protocol: ftp server "; - if ($v['name'] == "default" && $v['bind_to'] == "all") - $buffer .= "default \\\n"; - elseif (is_alias($v['bind_to'])) { - $tmp = trim(filter_expand_alias($v['bind_to'])); - if (!empty($tmp)) { - $tmp = preg_replace('/\s+/', ' ', $tmp); - $buffer .= "{$tmp} \\\n"; - } - else { - log_error("[snort] ERROR: unable to resolve IP Address Alias '{$v['bind_to']}' for FTP server '{$v['name']}' ... skipping entry."); - continue; - } - } - else { - log_error("[snort] ERROR: unable to resolve IP Address Alias '{$v['bind_to']}' for FTP server '{$v['name']}' ... skipping entry."); - continue; - } - - if ($v['def_max_param_len'] == "") - $buffer .= "\tdef_max_param_len 100 \\\n"; - elseif ($v['def_max_param_len'] <> '0') - $buffer .= "\tdef_max_param_len {$v['def_max_param_len']} \\\n"; - - if ($v['ports'] == "default" || !is_alias($v['ports']) || empty($v['ports'])) - $buffer .= "\tports { {$ftp_ports} } \\\n"; - elseif (is_alias($v['ports'])) { - $tmp = trim(filter_expand_alias($v['ports'])); - if (!empty($tmp)) { - $tmp = preg_replace('/\s+/', ' ', $tmp); - $tmp = snort_expand_port_range($tmp, ' '); - $buffer .= "\tports { {$tmp} } \\\n"; - } - else { - log_error("[snort] ERROR: unable to resolve Port Alias '{$v['ports']}' for FTP server '{$v['name']}' ... reverting to defaults."); - $buffer .= "\tports { {$ftp_ports} } \\\n"; - } - } - - $buffer .= "\ttelnet_cmds {$v['telnet_cmds']} \\\n"; - $buffer .= "\tignore_telnet_erase_cmds {$v['ignore_telnet_erase_cmds']} \\\n"; - if ($v['ignore_data_chan'] == "yes") - $buffer .= "\tignore_data_chan yes \\\n"; - $buffer .= "{$ftp_cmds}\n"; - - // Add this FTP server engine to the master string - $ftp_server_engine .= $buffer; - } - // Remove trailing newlines - rtrim($ftp_server_engine); - - $ftp_preprocessor = << "\$HOME_NET", "smtp_servers" => "\$HOME_NET", "http_servers" => "\$HOME_NET", - "www_servers" => "\$HOME_NET", "sql_servers" => "\$HOME_NET", "telnet_servers" => "\$HOME_NET", - "snmp_servers" => "\$HOME_NET", "ftp_servers" => "\$HOME_NET", "ssh_servers" => "\$HOME_NET", - "pop_servers" => "\$HOME_NET", "imap_servers" => "\$HOME_NET", "sip_proxy_ip" => "\$HOME_NET", - "sip_servers" => "\$HOME_NET", "rpc_servers" => "\$HOME_NET", "dnp3_server" => "\$HOME_NET", - "dnp3_client" => "\$HOME_NET", "modbus_server" => "\$HOME_NET", "modbus_client" => "\$HOME_NET", - "enip_server" => "\$HOME_NET", "enip_client" => "\$HOME_NET", - "aim_servers" => "64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24" - ); - - // Change old name from "var" to new name of "ipvar" for IP variables because - // Snort is deprecating the old "var" name in newer versions. - $ipvardef = ""; - foreach ($snort_servers as $alias => $avalue) { - if (!empty($snortcfg["def_{$alias}"]) && is_alias($snortcfg["def_{$alias}"])) { - $avalue = trim(filter_expand_alias($snortcfg["def_{$alias}"])); - $avalue = preg_replace('/\s+/', ',', trim($avalue)); - } - $ipvardef .= "ipvar " . strtoupper($alias) . " [{$avalue}]\n"; - } - - $snort_preproc_libs = array( - "dce_rpc_2" => "dce2_preproc", "dns_preprocessor" => "dns_preproc", "ftp_preprocessor" => "ftptelnet_preproc", "imap_preproc" => "imap_preproc", - "pop_preproc" => "pop_preproc", "reputation_preproc" => "reputation_preproc", "sensitive_data" => "sdf_preproc", - "sip_preproc" => "sip_preproc", "gtp_preproc" => "gtp_preproc", "smtp_preprocessor" => "smtp_preproc", "ssh_preproc" => "ssh_preproc", - "ssl_preproc" => "ssl_preproc", "dnp3_preproc" => "dnp3_preproc", "modbus_preproc" => "modbus_preproc" - ); - $snort_preproc = array ( - "perform_stat", "other_preprocs", "ftp_preprocessor", "smtp_preprocessor", "ssl_preproc", "sip_preproc", "gtp_preproc", "ssh_preproc", "sf_portscan", - "dce_rpc_2", "dns_preprocessor", "sensitive_data", "pop_preproc", "imap_preproc", "dnp3_preproc", "modbus_preproc", "reputation_preproc" - ); - $default_disabled_preprocs = array( - "sf_portscan", "gtp_preproc", "sensitive_data", "dnp3_preproc", "modbus_preproc", "reputation_preproc", "perform_stat" - ); - $snort_preprocessors = ""; - foreach ($snort_preproc as $preproc) { - if ($snortcfg[$preproc] == 'on' || empty($snortcfg[$preproc]) ) { - - /* If preprocessor is not explicitly "on" or "off", then default to "off" if in our default disabled list */ - if (empty($snortcfg[$preproc]) && in_array($preproc, $default_disabled_preprocs)) - continue; - - /* NOTE: The $$ is not a bug. It is an advanced feature of php */ - if (!empty($snort_preproc_libs[$preproc])) { - $preproclib = "libsf_" . $snort_preproc_libs[$preproc]; - if (!file_exists($snort_dirs['dynamicpreprocessor'] . "{$preproclib}.so")) { - if (file_exists("{$snortlibdir}/dynamicpreprocessor/{$preproclib}.so")) { - @copy("{$snortlibdir}/dynamicpreprocessor/{$preproclib}.so", "{$snort_dirs['dynamicpreprocessor']}/{$preproclib}.so"); - $snort_preprocessors .= $$preproc; - $snort_preprocessors .= "\n"; - } else - log_error("Could not find the {$preproclib} file. Snort might error out!"); - } else { - $snort_preprocessors .= $$preproc; - $snort_preprocessors .= "\n"; - } - } else { - $snort_preprocessors .= $$preproc; - $snort_preprocessors .= "\n"; - } - } - } - // Remove final trailing newline - $snort_preprocessors = rtrim($snort_preprocessors); - - $snort_misc_include_rules = ""; - if (file_exists("{$snortcfgdir}/reference.config")) - $snort_misc_include_rules .= "include {$snortcfgdir}/reference.config\n"; - if (file_exists("{$snortcfgdir}/classification.config")) - $snort_misc_include_rules .= "include {$snortcfgdir}/classification.config\n"; - if (!file_exists("{$snortcfgdir}/preproc_rules/decoder.rules") || !file_exists("{$snortcfgdir}/preproc_rules/preprocessor.rules")) { - $snort_misc_include_rules .= "config autogenerate_preprocessor_decoder_rules\n"; - log_error("[Snort] Seems preprocessor and/or decoder rules are missing, enabling autogeneration of them in conf file."); - } - - /* generate rule sections to load */ - /* The files are always configured so the update process is easier */ - $selected_rules_sections = "include \$RULE_PATH/{$snort_enforcing_rules_file}\n"; - $selected_rules_sections .= "include \$RULE_PATH/{$flowbit_rules_file}\n"; - $selected_rules_sections .= "include \$RULE_PATH/custom.rules\n"; - - // Remove trailing newlines - $snort_misc_include_rules = rtrim($snort_misc_include_rules); - $selected_rules_sections = rtrim($selected_rules_sections); - - /* Create the actual rules files and save in the interface directory */ - snort_prepare_rule_files($snortcfg, $snortcfgdir); - - $cksumcheck = "all"; - if ($snortcfg['cksumcheck'] == 'on') - $cksumcheck = "none"; - - /* Pull in user-configurable detection config options */ - $cfg_detect_settings = "search-method {$snort_performance} max-pattern-len 20 max_queue_events 5"; - if ($snortcfg['fpm_split_any_any'] == "on") - $cfg_detect_settings .= " split-any-any"; - if ($snortcfg['fpm_search_optimize'] == "on") - $cfg_detect_settings .= " search-optimize"; - if ($snortcfg['fpm_no_stream_inserts'] == "on") - $cfg_detect_settings .= " no_stream_inserts"; - - /* Pull in user-configurable options for Frag3 preprocessor settings */ - /* Get global Frag3 options first and put into a string */ - $frag3_global = "preprocessor frag3_global: "; - if (!empty($snortcfg['frag3_memcap']) || $snortcfg['frag3_memcap'] == "0") - $frag3_global .= "memcap {$snortcfg['frag3_memcap']}, "; - else - $frag3_global .= "memcap 4194304, "; - if (!empty($snortcfg['frag3_max_frags'])) - $frag3_global .= "max_frags {$snortcfg['frag3_max_frags']}"; - else - $frag3_global .= "max_frags 8192"; - if ($snortcfg['frag3_detection'] == "off") - $frag3_global .= ", disabled"; - - $frag3_default_tcp_engine = array( "name" => "default", "bind_to" => "all", "policy" => "bsd", - "timeout" => 60, "min_ttl" => 1, "detect_anomalies" => "on", - "overlap_limit" => 0, "min_frag_len" => 0 ); - $frag3_engine = ""; - - // Now iterate configured Frag3 engines and write them to a string if enabled - if ($snortcfg['frag3_detection'] == "on") { - if (!is_array($snortcfg['frag3_engine']['item'])) - $snortcfg['frag3_engine']['item'] = array(); - - // If no frag3 tcp engine is configured, use the default - if (empty($snortcfg['frag3_engine']['item'])) - $snortcfg['frag3_engine']['item'][] = $frag3_default_tcp_engine; - - foreach ($snortcfg['frag3_engine']['item'] as $f => $v) { - $frag3_engine .= "preprocessor frag3_engine: "; - $frag3_engine .= "policy {$v['policy']}"; - if ($v['bind_to'] <> "all") { - $tmp = trim(filter_expand_alias($v['bind_to'])); - if (!empty($tmp)) { - $tmp = preg_replace('/\s+/', ',', $tmp); - if (strpos($tmp, ",") !== false) - $frag3_engine .= " \\\n\tbind_to [{$tmp}]"; - else - $frag3_engine .= " \\\n\tbind_to {$tmp}"; - } - else - log_error("[snort] WARNING: unable to resolve IP List Alias '{$v['bind_to']}' for Frag3 engine '{$v['name']}' ... using 0.0.0.0 failsafe."); - } - $frag3_engine .= " \\\n\ttimeout {$v['timeout']}"; - $frag3_engine .= " \\\n\tmin_ttl {$v['min_ttl']}"; - if ($v['detect_anomalies'] == "on") { - $frag3_engine .= " \\\n\tdetect_anomalies"; - $frag3_engine .= " \\\n\toverlap_limit {$v['overlap_limit']}"; - $frag3_engine .= " \\\n\tmin_fragment_length {$v['min_frag_len']}"; - } - // Add newlines to terminate this engine - $frag3_engine .= "\n\n"; - } - // Remove trailing newline - $frag3_engine = rtrim($frag3_engine); - } - - // Grab any user-customized value for Protocol Aware Flushing (PAF) max PDUs - $paf_max_pdu_config = "config paf_max: "; - if (empty($snortcfg['max_paf']) || $snortcfg['max_paf'] == '0') - $paf_max_pdu_config .= "0"; - else - $paf_max_pdu_config .= $snortcfg['max_paf']; - - // Pull in user-configurable options for Stream5 preprocessor settings - // Get global options first and put into a string - $stream5_global = "preprocessor stream5_global: \\\n"; - if ($snortcfg['stream5_reassembly'] == "off") - $stream5_global .= "\tdisabled, \\\n"; - if ($snortcfg['stream5_track_tcp'] == "off") - $stream5_global .= "\ttrack_tcp no,"; - else { - $stream5_global .= "\ttrack_tcp yes,"; - if (!empty($snortcfg['stream5_max_tcp'])) - $stream5_global .= " \\\n\tmax_tcp {$snortcfg['stream5_max_tcp']},"; - else - $stream5_global .= " \\\n\tmax_tcp 262144,"; - } - if ($snortcfg['stream5_track_udp'] == "off") - $stream5_global .= " \\\n\ttrack_udp no,"; - else { - $stream5_global .= " \\\n\ttrack_udp yes,"; - if (!empty($snortcfg['stream5_max_udp'])) - $stream5_global .= " \\\n\tmax_udp {$snortcfg['stream5_max_udp']},"; - else - $stream5_global .= " \\\n\tmax_udp 131072,"; - } - if ($snortcfg['stream5_track_icmp'] == "on") { - $stream5_global .= " \\\n\ttrack_icmp yes,"; - if (!empty($snortcfg['stream5_max_icmp'])) - $stream5_global .= " \\\n\tmax_icmp {$snortcfg['stream5_max_icmp']},"; - else - $stream5_global .= " \\\n\tmax_icmp 65536,"; - } - else - $stream5_global .= " \\\n\ttrack_icmp no,"; - if (!empty($snortcfg['stream5_mem_cap'])) - $stream5_global .= " \\\n\tmemcap {$snortcfg['stream5_mem_cap']},"; - else - $stream5_global .= " \\\n\tmemcap 8388608,"; - - if (!empty($snortcfg['stream5_prune_log_max']) || $snortcfg['stream5_prune_log_max'] == '0') - $stream5_global .= " \\\n\tprune_log_max {$snortcfg['stream5_prune_log_max']}"; - else - $stream5_global .= " \\\n\tprune_log_max 1048576"; - if ($snortcfg['stream5_flush_on_alert'] == "on") - $stream5_global .= ", \\\n\tflush_on_alert"; - - $stream5_default_tcp_engine = array( "name" => "default", "bind_to" => "all", "policy" => "bsd", "timeout" => 30, - "max_queued_bytes" => 1048576, "detect_anomalies" => "off", "overlap_limit" => 0, - "max_queued_segs" => 2621, "require_3whs" => "off", "startup_3whs_timeout" => 0, - "no_reassemble_async" => "off", "dont_store_lg_pkts" => "off", "max_window" => 0, - "use_static_footprint_sizes" => "off", "check_session_hijacking" => "off", "ports_client" => "default", - "ports_both" => "default", "ports_server" => "none" ); - $stream5_tcp_engine = ""; - - // Now iterate configured Stream5 TCP engines and write them to a string if enabled - if ($snortcfg['stream5_reassembly'] == "on") { - if (!is_array($snortcfg['stream5_tcp_engine']['item'])) - $snortcfg['stream5_tcp_engine']['item'] = array(); - - // If no stream5 tcp engine is configured, use the default - if (empty($snortcfg['stream5_tcp_engine']['item'])) - $snortcfg['stream5_tcp_engine']['item'][] = $stream5_default_tcp_engine; - - foreach ($snortcfg['stream5_tcp_engine']['item'] as $f => $v) { - $buffer = "preprocessor stream5_tcp: "; - $buffer .= "policy {$v['policy']},"; - if ($v['bind_to'] <> "all") { - $tmp = trim(filter_expand_alias($v['bind_to'])); - if (!empty($tmp)) { - $tmp = preg_replace('/\s+/', ',', $tmp); - if (strpos($tmp, ",") !== false) - $buffer .= " \\\n\tbind_to [{$tmp}],"; - else - $buffer .= " \\\n\tbind_to {$tmp},"; - } - else { - log_error("[snort] WARNING: unable to resolve IP Address Alias [{$v['bind_to']}] for Stream5 TCP engine '{$v['name']}' ... skipping this engine."); - continue; - } - } - $stream5_tcp_engine .= $buffer; - $stream5_tcp_engine .= " \\\n\ttimeout {$v['timeout']},"; - $stream5_tcp_engine .= " \\\n\toverlap_limit {$v['overlap_limit']},"; - $stream5_tcp_engine .= " \\\n\tmax_window {$v['max_window']},"; - $stream5_tcp_engine .= " \\\n\tmax_queued_bytes {$v['max_queued_bytes']},"; - $stream5_tcp_engine .= " \\\n\tmax_queued_segs {$v['max_queued_segs']}"; - if ($v['use_static_footprint_sizes'] == "on") - $stream5_tcp_engine .= ", \\\n\tuse_static_footprint_sizes"; - if ($v['check_session_hijacking'] == "on") - $stream5_tcp_engine .= ", \\\n\tcheck_session_hijacking"; - if ($v['dont_store_lg_pkts'] == "on") - $stream5_tcp_engine .= ", \\\n\tdont_store_large_packets"; - if ($v['no_reassemble_async'] == "on") - $stream5_tcp_engine .= ", \\\n\tdont_reassemble_async"; - if ($v['detect_anomalies'] == "on") - $stream5_tcp_engine .= ", \\\n\tdetect_anomalies"; - if ($v['require_3whs'] == "on") - $stream5_tcp_engine .= ", \\\n\trequire_3whs {$v['startup_3whs_timeout']}"; - if (!empty($v['ports_client'])) { - $stream5_tcp_engine .= ", \\\n\tports client"; - if ($v['ports_client'] == " all") - $stream5_tcp_engine .= " all"; - elseif ($v['ports_client'] == "default") - $stream5_tcp_engine .= " {$stream5_ports_client}"; - else { - $tmp = trim(filter_expand_alias($v['ports_client'])); - if (!empty($tmp)) - $stream5_tcp_engine .= " " . trim(preg_replace('/\s+/', ' ', $tmp)); - else { - $stream5_tcp_engine .= " {$stream5_ports_client}"; - log_error("[snort] WARNING: unable to resolve Ports Client Alias [{$v['ports_client']}] for Stream5 TCP engine '{$v['name']}' ... using default value."); - } - } - } - if (!empty($v['ports_both'])) { - $stream5_tcp_engine .= ", \\\n\tports both"; - if ($v['ports_both'] == " all") - $stream5_tcp_engine .= " all"; - elseif ($v['ports_both'] == "default") - $stream5_tcp_engine .= " {$stream5_ports_both}"; - else { - $tmp = trim(filter_expand_alias($v['ports_both'])); - if (!empty($tmp)) - $stream5_tcp_engine .= " " . trim(preg_replace('/\s+/', ' ', $tmp)); - else { - $stream5_tcp_engine .= " {$stream5_ports_both}"; - log_error("[snort] WARNING: unable to resolve Ports Both Alias [{$v['ports_both']}] for Stream5 TCP engine '{$v['name']}' ... using default value."); - } - } - } - if (!empty($v['ports_server']) && $v['ports_server'] <> "none" && $v['ports_server'] <> "default") { - if ($v['ports_server'] == " all") { - $stream5_tcp_engine .= ", \\\n\tports server"; - $stream5_tcp_engine .= " all"; - } - else { - $tmp = trim(filter_expand_alias($v['ports_server'])); - if (!empty($tmp)) { - $stream5_tcp_engine .= ", \\\n\tports server"; - $stream5_tcp_engine .= " " . trim(preg_replace('/\s+/', ' ', $tmp)); - } - else - log_error("[snort] WARNING: unable to resolve Ports Server Alias [{$v['ports_server']}] for Stream5 TCP engine '{$v['name']}' ... defaulting to none."); - } - } - - // Make sure the "ports" parameter is set, or else default to a safe value - if (strpos($stream5_tcp_engine, "ports ") === false) - $stream5_tcp_engine .= ", \\\n\tports both all"; - - // Add a pair of newlines to terminate this engine - $stream5_tcp_engine .= "\n\n"; - } - // Trim off the final trailing newline - $stream5_tcp_engine = rtrim($stream5_tcp_engine); - } - - // Configure the Stream5 UDP engine if it and Stream5 reassembly are enabled - if ($snortcfg['stream5_track_udp'] == "off" || $snortcfg['stream5_reassembly'] == "off") - $stream5_udp_engine = ""; - else { - $stream5_udp_engine = "preprocessor stream5_udp: "; - if (!empty($snortcfg['stream5_udp_timeout'])) - $stream5_udp_engine .= "timeout {$snortcfg['stream5_udp_timeout']}"; - else - $stream5_udp_engine .= "timeout 30"; - } - - // Configure the Stream5 ICMP engine if it and Stream5 reassembly are enabled - if ($snortcfg['stream5_track_icmp'] == "on" && $snortcfg['stream5_reassembly'] == "on") { - $stream5_icmp_engine = "preprocessor stream5_icmp: "; - if (!empty($snortcfg['stream5_icmp_timeout'])) - $stream5_icmp_engine .= "timeout {$snortcfg['stream5_icmp_timeout']}"; - else - $stream5_icmp_engine .= "timeout 30"; - } - else - $stream5_icmp_engine = ""; - - // Check for and configure Host Attribute Table if enabled - $host_attrib_config = ""; - if ($snortcfg['host_attribute_table'] == "on" && !empty($snortcfg['host_attribute_data'])) { - file_put_contents("{$snortcfgdir}/host_attributes", base64_decode($snortcfg['host_attribute_data'])); - $host_attrib_config = "# Host Attribute Table #\n"; - $host_attrib_config .= "attribute_table filename {$snortcfgdir}/host_attributes\n"; - if (!empty($snortcfg['max_attribute_hosts'])) - $host_attrib_config .= "config max_attribute_hosts: {$snortcfg['max_attribute_hosts']}\n"; - if (!empty($snortcfg['max_attribute_services_per_host'])) - $host_attrib_config .= "config max_attribute_services_per_host: {$snortcfg['max_attribute_services_per_host']}"; - } - - // Configure the HTTP_INSPECT preprocessor - // Get global options first and put into a string - $http_inspect_global = "preprocessor http_inspect: global "; - if ($snortcfg['http_inspect'] == "off") - $http_inspect_global .= "disabled "; - $http_inspect_global .= "\\\n\tiis_unicode_map unicode.map 1252 \\\n"; - $http_inspect_global .= "\tcompress_depth 65535 \\\n"; - $http_inspect_global .= "\tdecompress_depth 65535 \\\n"; - if (!empty($snortcfg['http_inspect_memcap'])) - $http_inspect_global .= "\tmemcap {$snortcfg['http_inspect_memcap']} \\\n"; - else - $http_inspect_global .= "\tmemcap 150994944 \\\n"; - if (!empty($snortcfg['http_inspect_max_gzip_mem'])) - $http_inspect_global .= "\tmax_gzip_mem {$snortcfg['http_inspect_max_gzip_mem']}"; - else - $http_inspect_global .= "\tmax_gzip_mem 838860"; - if ($snortcfg['http_inspect_proxy_alert'] == "on") - $http_inspect_global .= " \\\n\tproxy_alert"; - - $http_inspect_default_engine = array( "name" => "default", "bind_to" => "all", "server_profile" => "all", "enable_xff" => "off", - "log_uri" => "off", "log_hostname" => "off", "server_flow_depth" => 65535, "enable_cookie" => "on", - "client_flow_depth" => 1460, "extended_response_inspection" => "on", "no_alerts" => "off", - "unlimited_decompress" => "on", "inspect_gzip" => "on", "normalize_cookies" =>"on", "normalize_headers" => "on", - "normalize_utf" => "on", "normalize_javascript" => "on", "allow_proxy_use" => "off", "inspect_uri_only" => "off", - "max_javascript_whitespaces" => 200, "post_depth" => -1, "max_headers" => 0, "max_spaces" => 0, - "max_header_length" => 0, "ports" => "default" ); - $http_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['http_ports'])); - $http_inspect_servers = ""; - - // Iterate configured HTTP_INSPECT servers and write them to string if HTTP_INSPECT enabled - if ($snortcfg['http_inspect'] <> "off") { - if (!is_array($snortcfg['http_inspect_engine']['item'])) - $snortcfg['http_inspect_engine']['item'] = array(); - - // If no http_inspect_engine is configured, use the default - if (empty($snortcfg['http_inspect_engine']['item'])) - $snortcfg['http_inspect_engine']['item'][] = $http_inspect_default_engine; - - foreach ($snortcfg['http_inspect_engine']['item'] as $f => $v) { - $buffer = "preprocessor http_inspect_server: \\\n"; - if ($v['name'] == "default") - $buffer .= "\tserver default \\\n"; - elseif (is_alias($v['bind_to'])) { - $tmp = trim(filter_expand_alias($v['bind_to'])); - if (!empty($tmp)) { - $tmp = preg_replace('/\s+/', ' ', $tmp); - $buffer .= "\tserver { {$tmp} } \\\n"; - } - else { - log_error("[snort] WARNING: unable to resolve IP Address Alias [{$v['bind_to']}] for HTTP_INSPECT server '{$v['name']}' ... skipping this server engine."); - continue; - } - } - else { - log_error("[snort] WARNING: unable to resolve IP Address Alias [{$v['bind_to']}] for HTTP_INSPECT server '{$v['name']}' ... skipping this server engine."); - continue; - } - $http_inspect_servers .= $buffer; - $http_inspect_servers .= "\tprofile {$v['server_profile']} \\\n"; - - if ($v['no_alerts'] == "on") - $http_inspect_servers .= "\tno_alerts \\\n"; - - if ($v['ports'] == "default" || empty($v['ports'])) - $http_inspect_servers .= "\tports { {$http_ports} } \\\n"; - elseif (is_alias($v['ports'])) { - $tmp = trim(filter_expand_alias($v['ports'])); - if (!empty($tmp)) { - $tmp = preg_replace('/\s+/', ' ', $tmp); - $tmp = snort_expand_port_range($tmp, ' '); - $http_inspect_servers .= "\tports { {$tmp} } \\\n"; - } - else { - log_error("[snort] WARNING: unable to resolve Ports Alias [{$v['ports']}] for HTTP_INSPECT server '{$v['name']}' ... using safe default instead."); - $http_inspect_servers .= "\tports { {$http_ports} } \\\n"; - } - } - else { - log_error("[snort] WARNING: unable to resolve Ports Alias [{$v['ports']}] for HTTP_INSPECT server '{$v['name']}' ... using safe default instead."); - $http_inspect_servers .= "\tports { {$http_ports} } \\\n"; - } - - $http_inspect_servers .= "\tserver_flow_depth {$v['server_flow_depth']} \\\n"; - $http_inspect_servers .= "\tclient_flow_depth {$v['client_flow_depth']} \\\n"; - $http_inspect_servers .= "\thttp_methods { GET POST PUT SEARCH MKCOL COPY MOVE LOCK UNLOCK NOTIFY POLL BCOPY BDELETE BMOVE LINK UNLINK OPTIONS HEAD DELETE TRACE TRACK CONNECT SOURCE SUBSCRIBE UNSUBSCRIBE PROPFIND PROPPATCH BPROPFIND BPROPPATCH RPC_CONNECT PROXY_SUCCESS BITS_POST CCM_POST SMS_POST RPC_IN_DATA RPC_OUT_DATA RPC_ECHO_DATA } \\\n"; - $http_inspect_servers .= "\tpost_depth {$v['post_depth']} \\\n"; - $http_inspect_servers .= "\tmax_headers {$v['max_headers']} \\\n"; - $http_inspect_servers .= "\tmax_header_length {$v['max_header_length']} \\\n"; - $http_inspect_servers .= "\tmax_spaces {$v['max_spaces']}"; - if ($v['enable_xff'] == "on") - $http_inspect_servers .= " \\\n\tenable_xff"; - if ($v['enable_cookie'] == "on") - $http_inspect_servers .= " \\\n\tenable_cookie"; - if ($v['normalize_cookies'] == "on") - $http_inspect_servers .= " \\\n\tnormalize_cookies"; - if ($v['normalize_headers'] == "on") - $http_inspect_servers .= " \\\n\tnormalize_headers"; - if ($v['normalize_utf'] == "on") - $http_inspect_servers .= " \\\n\tnormalize_utf"; - if ($v['allow_proxy_use'] == "on") - $http_inspect_servers .= " \\\n\tallow_proxy_use"; - if ($v['inspect_uri_only'] == "on") - $http_inspect_servers .= " \\\n\tinspect_uri_only"; - if ($v['extended_response_inspection'] == "on") { - $http_inspect_servers .= " \\\n\textended_response_inspection"; - if ($v['inspect_gzip'] == "on") { - $http_inspect_servers .= " \\\n\tinspect_gzip"; - if ($v['unlimited_decompress'] == "on") - $http_inspect_servers .= " \\\n\tunlimited_decompress"; - } - if ($v['normalize_javascript'] == "on") { - $http_inspect_servers .= " \\\n\tnormalize_javascript"; - $http_inspect_servers .= " \\\n\tmax_javascript_whitespaces {$v['max_javascript_whitespaces']}"; - } - } - if ($v['log_uri'] == "on") - $http_inspect_servers .= " \\\n\tlog_uri"; - if ($v['log_hostname'] == "on") - $http_inspect_servers .= " \\\n\tlog_hostname"; - - // Add a pair of trailing newlines to terminate this server config - $http_inspect_servers .= "\n\n"; - } - /* Trim off the final trailing newline */ - $http_inspect_server = rtrim($http_inspect_server); - } - - // Finally, build the Snort configuration file - $snort_conf_text = << "console") $snort_gui_include = true; - include('/usr/local/www/snort/snort_check_for_rule_updates.php'); + include('/usr/local/pkg/snort/snort_check_for_rule_updates.php'); update_status(gettext("Generating snort.conf configuration file from saved settings...")); $rebuild_rules = true; @@ -1451,7 +132,7 @@ if ($config['installedpackages']['snortglobal']['forcekeepsettings'] == 'on') { $if_real = get_real_interface($value['interface']); /* create a snort.conf file for interface */ - snort_build_new_conf($value); + snort_generate_conf($value); /* create barnyard2.conf file for interface */ if ($value['barnyard_enable'] == 'on') @@ -1479,22 +160,25 @@ if ($config['installedpackages']['snortglobal']['forcekeepsettings'] == 'on') { log_error(gettext("[Snort] Finished rebuilding installation from saved settings...")); /* Only try to start Snort if not in reboot */ - if (!$g['booting']) { + if (!($g['booting'])) { update_status(gettext("Starting Snort using rebuilt configuration...")); update_output_window(gettext("Please wait... while Snort is started...")); log_error(gettext("[Snort] Starting Snort using rebuilt configuration...")); - start_service("snort"); - update_output_window(gettext("Snort has been started using the rebuilt configuration...")); + mwexec_bg("{$rcdir}snort.sh start"); + update_output_window(gettext("Snort is starting using the rebuilt configuration...")); } } +/* We're finished with conf partition mods, return to read-only */ +conf_mount_ro(); + /* If an existing Snort Dashboard Widget container is not found, */ /* then insert our default Widget Dashboard container. */ if (stristr($config['widgets']['sequence'], "snort_alerts-container") === FALSE) $config['widgets']['sequence'] .= ",{$snort_widget_container}"; /* Update Snort package version in configuration */ -$config['installedpackages']['snortglobal']['snort_config_ver'] = "3.0.13"; +$config['installedpackages']['snortglobal']['snort_config_ver'] = "3.1"; write_config("Snort pkg: post-install configuration saved."); /* Done with post-install, so clear flag */ diff --git a/config/snort/snort_preprocessors.php b/config/snort/snort_preprocessors.php index 5cee95df..da1c515e 100755 --- a/config/snort/snort_preprocessors.php +++ b/config/snort/snort_preprocessors.php @@ -117,16 +117,64 @@ if (isset($id) && isset($a_nat[$id])) { if (empty($pconfig['smtp_preprocessor'])) $pconfig['smtp_preprocessor'] = 'on'; + if (empty($pconfig['smtp_memcap'])) + $pconfig['smtp_memcap'] = "838860"; + if (empty($pconfig['smtp_max_mime_mem'])) + $pconfig['smtp_max_mime_mem'] = "838860"; + if (empty($pconfig['smtp_b64_decode_depth'])) + $pconfig['smtp_b64_decode_depth'] = "0"; + if (empty($pconfig['smtp_qp_decode_depth'])) + $pconfig['smtp_qp_decode_depth'] = "0"; + if (empty($pconfig['smtp_bitenc_decode_depth'])) + $pconfig['smtp_bitenc_decode_depth'] = "0"; + if (empty($pconfig['smtp_uu_decode_depth'])) + $pconfig['smtp_uu_decode_depth'] = "0"; + if (empty($pconfig['smtp_email_hdrs_log_depth']) && $pconfig['smtp_email_hdrs_log_depth'] != '0') + $pconfig['smtp_email_hdrs_log_depth'] = "1464"; + if (empty($pconfig['smtp_ignore_tls_data'])) + $pconfig['smtp_ignore_tls_data'] = 'on'; + if (empty($pconfig['smtp_log_mail_from'])) + $pconfig['smtp_log_mail_from'] = 'on'; + if (empty($pconfig['smtp_log_rcpt_to'])) + $pconfig['smtp_log_rcpt_to'] = 'on'; + if (empty($pconfig['smtp_log_filename'])) + $pconfig['smtp_log_filename'] = 'on'; + if (empty($pconfig['smtp_log_email_hdrs'])) + $pconfig['smtp_log_email_hdrs'] = 'on'; + if (empty($pconfig['dce_rpc_2'])) $pconfig['dce_rpc_2'] = 'on'; if (empty($pconfig['dns_preprocessor'])) $pconfig['dns_preprocessor'] = 'on'; if (empty($pconfig['ssl_preproc'])) $pconfig['ssl_preproc'] = 'on'; + if (empty($pconfig['pop_preproc'])) $pconfig['pop_preproc'] = 'on'; + if (empty($pconfig['pop_memcap'])) + $pconfig['pop_memcap'] = "838860"; + if (empty($pconfig['pop_b64_decode_depth'])) + $pconfig['pop_b64_decode_depth'] = "0"; + if (empty($pconfig['pop_qp_decode_depth'])) + $pconfig['pop_qp_decode_depth'] = "0"; + if (empty($pconfig['pop_bitenc_decode_depth'])) + $pconfig['pop_bitenc_decode_depth'] = "0"; + if (empty($pconfig['pop_uu_decode_depth'])) + $pconfig['pop_uu_decode_depth'] = "0"; + if (empty($pconfig['imap_preproc'])) $pconfig['imap_preproc'] = 'on'; + if (empty($pconfig['imap_memcap'])) + $pconfig['imap_memcap'] = "838860"; + if (empty($pconfig['imap_b64_decode_depth'])) + $pconfig['imap_b64_decode_depth'] = "0"; + if (empty($pconfig['imap_qp_decode_depth'])) + $pconfig['imap_qp_decode_depth'] = "0"; + if (empty($pconfig['imap_bitenc_decode_depth'])) + $pconfig['imap_bitenc_decode_depth'] = "0"; + if (empty($pconfig['imap_uu_decode_depth'])) + $pconfig['imap_uu_decode_depth'] = "0"; + if (empty($pconfig['sip_preproc'])) $pconfig['sip_preproc'] = 'on'; if (empty($pconfig['other_preprocs'])) @@ -270,6 +318,19 @@ if ($_POST['ResetAll']) { $pconfig['ftp_telnet_detect_anomalies'] = "on"; $pconfig['ftp_telnet_ayt_attack_threshold'] = "20"; $pconfig['smtp_preprocessor'] = "on"; + $pconfig['smtp_memcap'] = "838860"; + $pconfig['smtp_max_mime_mem'] = "838860"; + $pconfig['smtp_b64_decode_depth'] = "0"; + $pconfig['smtp_qp_decode_depth'] = "0"; + $pconfig['smtp_bitenc_decode_depth'] = "0"; + $pconfig['smtp_uu_decode_depth'] = "0"; + $pconfig['smtp_email_hdrs_log_depth'] = "1464"; + $pconfig['smtp_ignore_data'] = 'off'; + $pconfig['smtp_ignore_tls_data'] = 'on'; + $pconfig['smtp_log_mail_from'] = 'on'; + $pconfig['smtp_log_rcpt_to'] = 'on'; + $pconfig['smtp_log_filename'] = 'on'; + $pconfig['smtp_log_email_hdrs'] = 'on'; $pconfig['sf_portscan'] = "off"; $pconfig['pscan_protocol'] = "all"; $pconfig['pscan_type'] = "all"; @@ -284,7 +345,17 @@ if ($_POST['ResetAll']) { $pconfig['sdf_mask_output'] = "off"; $pconfig['ssl_preproc'] = "on"; $pconfig['pop_preproc'] = "on"; + $pconfig['pop_memcap'] = "838860"; + $pconfig['pop_b64_decode_depth'] = "0"; + $pconfig['pop_qp_decode_depth'] = "0"; + $pconfig['pop_bitenc_decode_depth'] = "0"; + $pconfig['pop_uu_decode_depth'] = "0"; $pconfig['imap_preproc'] = "on"; + $pconfig['imap_memcap'] = "838860"; + $pconfig['imap_b64_decode_depth'] = "0"; + $pconfig['imap_qp_decode_depth'] = "0"; + $pconfig['imap_bitenc_decode_depth'] = "0"; + $pconfig['imap_uu_decode_depth'] = "0"; $pconfig['sip_preproc'] = "on"; $pconfig['dnp3_preproc'] = "off"; $pconfig['modbus_preproc'] = "off"; @@ -312,6 +383,52 @@ if ($_POST['save']) { $input_errors[] = gettext("You must select at least one sensitive data type to inspect for when Sensitive Data detection is enabled."); } + // Validate POP3 parameter values if POP3 Decoder is enabled + if ($_POST['pop_preproc'] == 'on') { + if ($_POST['pop_memcap'] < 3276 || $_POST['pop_memcap'] > 104857600) + $input_errors[] = gettext("The value for POP3 Decoder Memory Cap must be between 3,276 and 104,857,600."); + if ($_POST['pop_b64_decode_depth'] < -1 || $_POST['pop_b64_decode_depth'] > 65535) + $input_errors[] = gettext("The value for POP3 Decoder Base64 Decode Depth must be between -1 and 65,535."); + if ($_POST['pop_qp_decode_depth'] < -1 || $_POST['pop_qp_decode_depth'] > 65535) + $input_errors[] = gettext("The value for POP3 Decoder Quoted-Printable (QP) Decode Depth must be between -1 and 65,535."); + if ($_POST['pop_bitenc_decode_depth'] < -1 || $_POST['pop_bitenc_decode_depth'] > 65535) + $input_errors[] = gettext("The value for POP3 Decoder Non-Encoded MIME Extraction Depth must be between -1 and 65,535."); + if ($_POST['pop_uu_decode_depth'] < -1 || $_POST['pop_uu_decode_depth'] > 65535) + $input_errors[] = gettext("The value for POP3 Decoder Unix-to-Unix (UU) Decode Depth must be between -1 and 65,535."); + } + + // Validate IMAP parameter values if IMAP Decoder is enabled + if ($_POST['imap_preproc'] == 'on') { + if ($_POST['imap_memcap'] < 3276 || $_POST['imap_memcap'] > 104857600) + $input_errors[] = gettext("The value for IMAP Decoder Memory Cap must be between 3,276 and 104,857,600."); + if ($_POST['imap_b64_decode_depth'] < -1 || $_POST['imap_b64_decode_depth'] > 65535) + $input_errors[] = gettext("The value for IMAP Decoder Base64 Decode Depth must be between -1 and 65,535."); + if ($_POST['imap_qp_decode_depth'] < -1 || $_POST['imap_qp_decode_depth'] > 65535) + $input_errors[] = gettext("The value for IMAP Decoder Quoted-Printable (QP) Decode Depth must be between -1 and 65,535."); + if ($_POST['imap_bitenc_decode_depth'] < -1 || $_POST['imap_bitenc_decode_depth'] > 65535) + $input_errors[] = gettext("The value for IMAP Decoder Non-Encoded MIME Extraction Depth must be between -1 and 65,535."); + if ($_POST['imap_uu_decode_depth'] < -1 || $_POST['imap_uu_decode_depth'] > 65535) + $input_errors[] = gettext("The value for IMAP Decoder Unix-to-Unix (UU) Decode Depth must be between -1 and 65,535."); + } + + // Validate SMTP parameter values if SMTP Decoder is enabled + if ($_POST['smtp_preprocessor'] == 'on') { + if ($_POST['smtp_memcap'] < 3276 || $_POST['smtp_memcap'] > 104857600) + $input_errors[] = gettext("The value for SMTP Decoder Memory Cap must be between 3,276 and 104,857,600."); + if ($_POST['smtp_max_mime_mem'] < 3276 || $_POST['smtp_max_mime_mem'] > 104857600) + $input_errors[] = gettext("The value for SMTP Decoder Maximum MIME Memory must be between 3,276 and 104,857,600."); + if ($_POST['smtp_b64_decode_depth'] < -1 || $_POST['smtp_b64_decode_depth'] > 65535) + $input_errors[] = gettext("The value for SMTP Decoder Base64 Decode Depth must be between -1 and 65,535."); + if ($_POST['smtp_qp_decode_depth'] < -1 || $_POST['smtp_qp_decode_depth'] > 65535) + $input_errors[] = gettext("The value for SMTP Decoder Quoted-Printable (QP) Decode Depth must be between -1 and 65,535."); + if ($_POST['smtp_bitenc_decode_depth'] < -1 || $_POST['smtp_bitenc_decode_depth'] > 65535) + $input_errors[] = gettext("The value for SMTP Decoder Non-Encoded MIME Extraction Depth must be between -1 and 65,535."); + if ($_POST['smtp_uu_decode_depth'] < -1 || $_POST['smtp_uu_decode_depth'] > 65535) + $input_errors[] = gettext("The value for SMTP Decoder Unix-to-Unix (UU) Decode Depth must be between -1 and 65,535."); + if ($_POST['smtp_email_hdrs_log_depth'] < 0 || $_POST['smtp_email_hdrs_log_depth'] > 20480) + $input_errors[] = gettext("The value for SMTP Decoder E-Mail Headers Log Depth must be between 0 and 20,480."); + } + /* if no errors write to conf */ if (!$input_errors) { /* post new options */ @@ -337,6 +454,23 @@ if ($_POST['save']) { if ($_POST['ftp_telnet_inspection_type'] != "") { $natent['ftp_telnet_inspection_type'] = $_POST['ftp_telnet_inspection_type']; }else{ $natent['ftp_telnet_inspection_type'] = "stateful"; } if ($_POST['ftp_telnet_ayt_attack_threshold'] != "") { $natent['ftp_telnet_ayt_attack_threshold'] = $_POST['ftp_telnet_ayt_attack_threshold']; }else{ $natent['ftp_telnet_ayt_attack_threshold'] = "20"; } if ($_POST['sdf_alert_threshold'] != "") { $natent['sdf_alert_threshold'] = $_POST['sdf_alert_threshold']; }else{ $natent['sdf_alert_threshold'] = "25"; } + if ($_POST['pop_memcap'] != "") { $natent['pop_memcap'] = $_POST['pop_memcap']; }else{ $natent['pop_memcap'] = "838860"; } + if ($_POST['pop_b64_decode_depth'] != "") { $natent['pop_b64_decode_depth'] = $_POST['pop_b64_decode_depth']; }else{ $natent['pop_b64_decode_depth'] = "0"; } + if ($_POST['pop_qp_decode_depth'] != "") { $natent['pop_qp_decode_depth'] = $_POST['pop_qp_decode_depth']; }else{ $natent['pop_qp_decode_depth'] = "0"; } + if ($_POST['pop_bitenc_decode_depth'] != "") { $natent['pop_bitenc_decode_depth'] = $_POST['pop_bitenc_decode_depth']; }else{ $natent['pop_bitenc_decode_depth'] = "0"; } + if ($_POST['pop_uu_decode_depth'] != "") { $natent['pop_uu_decode_depth'] = $_POST['pop_uu_decode_depth']; }else{ $natent['pop_uu_decode_depth'] = "0"; } + if ($_POST['imap_memcap'] != "") { $natent['imap_memcap'] = $_POST['imap_memcap']; }else{ $natent['imap_memcap'] = "838860"; } + if ($_POST['imap_b64_decode_depth'] != "") { $natent['imap_b64_decode_depth'] = $_POST['imap_b64_decode_depth']; }else{ $natent['imap_b64_decode_depth'] = "0"; } + if ($_POST['imap_qp_decode_depth'] != "") { $natent['imap_qp_decode_depth'] = $_POST['imap_qp_decode_depth']; }else{ $natent['imap_qp_decode_depth'] = "0"; } + if ($_POST['imap_bitenc_decode_depth'] != "") { $natent['imap_bitenc_decode_depth'] = $_POST['imap_bitenc_decode_depth']; }else{ $natent['imap_bitenc_decode_depth'] = "0"; } + if ($_POST['imap_uu_decode_depth'] != "") { $natent['imap_uu_decode_depth'] = $_POST['imap_uu_decode_depth']; }else{ $natent['imap_uu_decode_depth'] = "0"; } + if ($_POST['smtp_memcap'] != "") { $natent['smtp_memcap'] = $_POST['smtp_memcap']; }else{ $natent['smtp_memcap'] = "838860"; } + if ($_POST['smtp_max_mime_mem'] != "") { $natent['smtp_max_mime_mem'] = $_POST['smtp_max_mime_mem']; }else{ $natent['smtp_max_mime_mem'] = "838860"; } + if ($_POST['smtp_b64_decode_depth'] != "") { $natent['smtp_b64_decode_depth'] = $_POST['smtp_b64_decode_depth']; }else{ $natent['smtp_b64_decode_depth'] = "0"; } + if ($_POST['smtp_qp_decode_depth'] != "") { $natent['smtp_qp_decode_depth'] = $_POST['smtp_qp_decode_depth']; }else{ $natent['smtp_qp_decode_depth'] = "0"; } + if ($_POST['smtp_bitenc_decode_depth'] != "") { $natent['smtp_bitenc_decode_depth'] = $_POST['smtp_bitenc_decode_depth']; }else{ $natent['smtp_bitenc_decode_depth'] = "0"; } + if ($_POST['smtp_uu_decode_depth'] != "") { $natent['smtp_uu_decode_depth'] = $_POST['smtp_uu_decode_depth']; }else{ $natent['smtp_uu_decode_depth'] = "0"; } + if ($_POST['smtp_email_hdrs_log_depth'] != "") { $natent['smtp_email_hdrs_log_depth'] = $_POST['smtp_email_hdrs_log_depth']; }else{ $natent['smtp_email_hdrs_log_depth'] = "1464"; } // Set SDF inspection types $natent['sdf_alert_data_type'] = implode(",",$_POST['sdf_alert_data_type']); @@ -352,6 +486,13 @@ if ($_POST['save']) { $natent['ftp_telnet_normalize'] = $_POST['ftp_telnet_normalize'] ? 'on' : 'off'; $natent['ftp_telnet_detect_anomalies'] = $_POST['ftp_telnet_detect_anomalies'] ? 'on' : 'off'; $natent['smtp_preprocessor'] = $_POST['smtp_preprocessor'] ? 'on' : 'off'; + $natent['smtp_ignore_data'] = $_POST['smtp_ignore_data'] ? 'on' : 'off'; + $natent['smtp_ignore_tls_data'] = $_POST['smtp_ignore_tls_data'] ? 'on' : 'off'; + $natent['smtp_log_mail_from'] = $_POST['smtp_log_mail_from'] ? 'on' : 'off'; + $natent['smtp_log_rcpt_to'] = $_POST['smtp_log_rcpt_to'] ? 'on' : 'off'; + $natent['smtp_log_filename'] = $_POST['smtp_log_filename'] ? 'on' : 'off'; + $natent['smtp_log_email_hdrs'] = $_POST['smtp_log_email_hdrs'] ? 'on' : 'off'; + $natent['sf_portscan'] = $_POST['sf_portscan'] ? 'on' : 'off'; $natent['dce_rpc_2'] = $_POST['dce_rpc_2'] ? 'on' : 'off'; $natent['dns_preprocessor'] = $_POST['dns_preprocessor'] ? 'on' : 'off'; @@ -385,7 +526,9 @@ if ($_POST['save']) { /* rules for this interface. */ /*************************************************/ $rebuild_rules = true; + conf_mount_rw(); snort_generate_conf($natent); + conf_mount_ro(); $rebuild_rules = false; /* If 'preproc_auto_rule_disable' is off, then clear log file */ @@ -1308,34 +1451,300 @@ if ($savemsg) { - + - - + + - - + + + + + + - + + + + + + + + + + + + + + + + + + onclick="imap_enable_change();"/> + " . gettext("Checked") . "."; ?> + + + + + + + + + + + + + + + + + + - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -1692,6 +2101,36 @@ function sensitive_data_enable_change() { } } +function pop_enable_change() { + var endis = !(document.iform.pop_preproc.checked); + + // Hide POP3 configuration rows if POP preprocessor disabled + if (endis) + document.getElementById("pop_setting_rows").style.display = "none"; + else + document.getElementById("pop_setting_rows").style.display = ""; +} + +function imap_enable_change() { + var endis = !(document.iform.imap_preproc.checked); + + // Hide IMAP configuration rows if IMAP preprocessor disabled + if (endis) + document.getElementById("imap_setting_rows").style.display = "none"; + else + document.getElementById("imap_setting_rows").style.display = ""; +} + +function smtp_enable_change() { + var endis = !(document.iform.smtp_preprocessor.checked); + + // Hide SMTP configuration rows if SMTP preprocessor disabled + if (endis) + document.getElementById("smtp_setting_rows").style.display = "none"; + else + document.getElementById("smtp_setting_rows").style.display = ""; +} + function enable_change_all() { http_inspect_enable_change(); sf_portscan_enable_change(); @@ -1746,6 +2185,9 @@ function enable_change_all() { stream5_track_icmp_enable_change(); ftp_telnet_enable_change(); sensitive_data_enable_change(); + pop_enable_change(); + imap_enable_change(); + smtp_enable_change(); } function wopen(url, name, w, h) diff --git a/config/snort/snort_rules.php b/config/snort/snort_rules.php index e69152c3..df17efc0 100755 --- a/config/snort/snort_rules.php +++ b/config/snort/snort_rules.php @@ -330,7 +330,9 @@ elseif ($_POST['clear']) { unset($a_rule[$id]['customrules']); write_config("Snort pkg: clear all custom rules for {$a_rule[$id]['interface']}."); $rebuild_rules = true; + conf_mount_rw(); snort_generate_conf($a_rule[$id]); + conf_mount_ro(); $rebuild_rules = false; $pconfig['customrules'] = ''; } @@ -342,7 +344,9 @@ elseif ($_POST['save']) { unset($a_rule[$id]['customrules']); write_config("Snort pkg: save modified custom rules for {$a_rule[$id]['interface']}."); $rebuild_rules = true; + conf_mount_rw(); snort_generate_conf($a_rule[$id]); + conf_mount_ro(); $rebuild_rules = false; $output = ""; $retcode = ""; @@ -371,7 +375,9 @@ else if ($_POST['apply']) { /* rules for this interface. */ /*************************************************/ $rebuild_rules = true; + conf_mount_rw(); snort_generate_conf($a_rule[$id]); + conf_mount_ro(); $rebuild_rules = false; /* Soft-restart Snort to live-load new rules */ diff --git a/config/snort/snort_rulesets.php b/config/snort/snort_rulesets.php index 79365f5f..59fe6eef 100755 --- a/config/snort/snort_rulesets.php +++ b/config/snort/snort_rulesets.php @@ -160,7 +160,9 @@ if ($_POST["save"]) { /* rules for this interface. */ /*************************************************/ $rebuild_rules = true; + conf_mount_rw(); snort_generate_conf($a_nat[$id]); + conf_mount_ro(); $rebuild_rules = false; /* Soft-restart Snort to live-load new rules */ -- cgit v1.2.3
+ >  
> - onclick="pop_enable_change();"/> + " . gettext("Checked") . ""; ?>.
> - " . gettext("Checked") . ""; ?>. + + " . gettext("838860") . "" . + gettext(" bytes."); ?>

+ " . gettext("3276") . "" . gettext(" bytes and the maximum is ") . + "" . gettext("100 MB") . "" . gettext(" (104857600). An IMAP preprocessor alert with sid 3 is ") . + gettext("generated (when enabled) if this limit is exceeded."); ?> +
+ " . gettext("0") . "" . gettext(" (unlimited)");?>.

+ " . gettext("-1") . "" . gettext(" to ") . "" . gettext("65535") . "" . + gettext(". A value of ") . "" . gettext("-1") . "" . gettext(" turns off the base64 decoding of MIME attachments. ") . + gettext("A value of ") . "" . gettext("0") . "" . gettext(" sets the decoding of base64 encoded MIME attachments to unlimited. ") . + gettext("A value other than 0 or -1 restricts the decoding of base64 MIME attachments, and applies per attachment. A POP preprocessor alert with sid 4 ") . + gettext("is generated (if enabled) when the decoding fails.");?> +
+ " . gettext("0") . "" . gettext(" (unlimited)");?>.

+ " . gettext("-1") . "" . gettext(" to ") . "" . gettext("65535") . "" . + gettext(". A value of ") . "" . gettext("-1") . "" . gettext(" turns off the QP decoding of MIME attachments. ") . + gettext("A value of ") . "" . gettext("0") . "" . gettext(" sets the decoding of QP encoded MIME attachments to unlimited. ") . + gettext("A value other than 0 or -1 restricts the decoding of QP MIME attachments, and applies per attachment. A POP preprocessor alert with sid 5 ") . + gettext("is generated (if enabled) when the decoding fails.");?> +
+ " . gettext("0") . "" . gettext(" (unlimited)");?>.

+ " . gettext("-1") . "" . gettext(" to ") . "" . gettext("65535") . "" . + gettext(". A value of ") . "" . gettext("-1") . "" . gettext(" turns off the extraction of non-encoded MIME attachments. ") . + gettext("A value of ") . "" . gettext("0") . "" . gettext(" sets the extraction of non-encoded MIME attachments to unlimited. ") . + gettext("A value other than 0 or -1 restricts the extraction of non-encoded MIME attachments, and applies per attachment.");?> +
+ " . gettext("0") . "" . gettext(" (unlimited)");?>.

+ " . gettext("-1") . "" . gettext(" to ") . "" . gettext("65535") . "" . + gettext(". A value of ") . "" . gettext("-1") . "" . gettext(" turns off the UU decoding of MIME attachments. ") . + gettext("A value of ") . "" . gettext("0") . "" . gettext(" sets the decoding of UU encoded MIME attachments to unlimited. ") . + gettext("A value other than 0 or -1 restricts the decoding of UU MIME attachments, and applies per attachment. A POP preprocessor alert with sid 7 ") . + gettext("is generated (if enabled) when the decoding fails.");?> +
> - " . gettext("Checked") . ""; ?>.
+ + " . gettext("838860") . "" . + gettext(" bytes."); ?>

+ " . gettext("3276") . "" . gettext(" bytes and the maximum is ") . + "" . gettext("100 MB") . "" . gettext(" (104857600). An IMAP preprocessor alert with sid 3 is ") . + gettext("generated (when enabled) if this limit is exceeded."); ?> +
+ " . gettext("0") . "" . gettext(" (unlimited)");?>.

+ " . gettext("-1") . "" . gettext(" to ") . "" . gettext("65535") . "" . + gettext(". A value of ") . "" . gettext("-1") . "" . gettext(" turns off the base64 decoding of MIME attachments. ") . + gettext("A value of ") . "" . gettext("0") . "" . gettext(" sets the decoding of base64 encoded MIME attachments to unlimited. ") . + gettext("A value other than 0 or -1 restricts the decoding of base64 MIME attachments, and applies per attachment. An IMAP preprocessor alert with sid 4 ") . + gettext("is generated (if enabled) when the decoding fails.");?> +
+ " . gettext("0") . "" . gettext(" (unlimited)");?>.

+ " . gettext("-1") . "" . gettext(" to ") . "" . gettext("65535") . "" . + gettext(". A value of ") . "" . gettext("-1") . "" . gettext(" turns off the QP decoding of MIME attachments. ") . + gettext("A value of ") . "" . gettext("0") . "" . gettext(" sets the decoding of QP encoded MIME attachments to unlimited. ") . + gettext("A value other than 0 or -1 restricts the decoding of QP MIME attachments, and applies per attachment. An IMAP preprocessor alert with sid 5 ") . + gettext("is generated (if enabled) when the decoding fails.");?> +
+ " . gettext("0") . "" . gettext(" (unlimited)");?>.

+ " . gettext("-1") . "" . gettext(" to ") . "" . gettext("65535") . "" . + gettext(". A value of ") . "" . gettext("-1") . "" . gettext(" turns off the extraction of non-encoded MIME attachments. ") . + gettext("A value of ") . "" . gettext("0") . "" . gettext(" sets the extraction of non-encoded MIME attachments to unlimited. ") . + gettext("A value other than 0 or -1 restricts the extraction of non-encoded MIME attachments, and applies per attachment.");?> +
+ " . gettext("0") . "" . gettext(" (unlimited)");?>.

+ " . gettext("-1") . "" . gettext(" to ") . "" . gettext("65535") . "" . + gettext(". A value of ") . "" . gettext("-1") . "" . gettext(" turns off the UU decoding of MIME attachments. ") . + gettext("A value of ") . "" . gettext("0") . "" . gettext(" sets the decoding of UU encoded MIME attachments to unlimited. ") . + gettext("A value other than 0 or -1 restricts the decoding of UU MIME attachments, and applies per attachment. An IMAP preprocessor alert with sid 7 ") . + gettext("is generated (if enabled) when the decoding fails.");?> +
> - onclick="smtp_enable_change();"/> + " . gettext("Checked") . "."; ?> +
+ + " . gettext("838860") . "" . gettext(" bytes."); ?>

+ " . gettext("3276") . "" . gettext(" bytes and the maximum is ") . + "" . gettext("100 MB") . "" . gettext(" (104857600). When this memcap is reached, ") . + gettext("SMTP will stop logging the filename, MAIL FROM address, RCPT TO addresses and email headers until memory becomes available."); ?> +
/> + " . gettext("Not Checked") . "."; ?> +
/> + " . gettext("Checked") . "."; ?> +
/> + " . gettext("Checked") . "."; ?>
+ + +
/> + " . gettext("Checked") . "."; ?>
+ + +
/> + " . gettext("Checked") . "."; ?>
+ + +
/> + " . gettext("Checked") . "."; ?>
+ + +
+ + " . gettext("1464") . "" . gettext(" bytes."); ?>

+ " . gettext("0") . "" . gettext(" to ") . + "" . gettext("20480") . "" . gettext(". A value of ") . "" . gettext("0") . "" . + gettext(" will disable e-mail headers logging."); ?> +
+ + " . gettext("838860") . "" . gettext(" bytes."); ?>

+ " . gettext("3276") . "" . gettext(" bytes and the maximum is ") . + "" . gettext("100 MB") . "" . gettext(" (104857600)."); ?> +
+ " . gettext("0") . "" . gettext(" (unlimited)");?>.

+ " . gettext("-1") . "" . gettext(" to ") . "" . gettext("65535") . "" . + gettext(". A value of ") . "" . gettext("-1") . "" . gettext(" turns off the base64 decoding of MIME attachments. ") . + gettext("A value of ") . "" . gettext("0") . "" . gettext(" sets the decoding of base64 encoded MIME attachments to unlimited. ") . + gettext("A value other than 0 or -1 restricts the decoding of base64 MIME attachments, and applies per attachment. An SMTP preprocessor alert with sid 10 ") . + gettext("is generated when the decoding fails.");?> +
+ " . gettext("0") . "" . gettext(" (unlimited)");?>.

+ " . gettext("-1") . "" . gettext(" to ") . "" . gettext("65535") . "" . + gettext(". A value of ") . "" . gettext("-1") . "" . gettext(" turns off the QP decoding of MIME attachments. ") . + gettext("A value of ") . "" . gettext("0") . "" . gettext(" sets the decoding of QP encoded MIME attachments to unlimited. ") . + gettext("A value other than 0 or -1 restricts the decoding of QP MIME attachments, and applies per attachment. An SMTP preprocessor alert with sid 11 ") . + gettext("is generated when the decoding fails.");?> +
+ " . gettext("0") . "" . gettext(" (unlimited)");?>.

+ " . gettext("-1") . "" . gettext(" to ") . "" . gettext("65535") . "" . + gettext(". A value of ") . "" . gettext("-1") . "" . gettext(" turns off the extraction of non-encoded MIME attachments. ") . + gettext("A value of ") . "" . gettext("0") . "" . gettext(" sets the extraction of non-encoded MIME attachments to unlimited. ") . + gettext("A value other than 0 or -1 restricts the extraction of non-encoded MIME attachments, and applies per attachment.");?> +
+ " . gettext("0") . "" . gettext(" (unlimited)");?>.

+ " . gettext("-1") . "" . gettext(" to ") . "" . gettext("65535") . "" . + gettext(". A value of ") . "" . gettext("-1") . "" . gettext(" turns off the UU decoding of MIME attachments. ") . + gettext("A value of ") . "" . gettext("0") . "" . gettext(" sets the decoding of UU encoded MIME attachments to unlimited. ") . + gettext("A value other than 0 or -1 restricts the decoding of UU MIME attachments, and applies per attachment. An SMTP preprocessor alert with sid 13 ") . + gettext("is generated (if enabled) when the decoding fails.");?> +
> + " . gettext("Checked") . ""; ?>.