From 0f28772b3973f976e05ac088cc297c25816127a7 Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Fri, 1 Feb 2013 20:25:04 -0500 Subject: Add GTP preproc and http_inspect_server Profile options to GUI. --- config/snort/snort.inc | 24 ++++++++++++++++++++---- config/snort/snort_define_servers.php | 2 +- config/snort/snort_preprocessors.php | 34 ++++++++++++++++++++++++++++++++-- 3 files changed, 53 insertions(+), 7 deletions(-) (limited to 'config') diff --git a/config/snort/snort.inc b/config/snort/snort.inc index 869e040e..884c50ec 100755 --- a/config/snort/snort.inc +++ b/config/snort/snort.inc @@ -1977,7 +1977,8 @@ function snort_generate_conf($snortcfg) { "DCERPC_NCACN_IP_TCP" => "139,445", "DCERPC_NCADG_IP_UDP" => "138,1024:", "DCERPC_NCACN_IP_LONG" => "135,139,445,593,1024:", "DCERPC_NCACN_UDP_LONG" => "135,1024:", "DCERPC_NCACN_UDP_SHORT" => "135,593,1024:", "DCERPC_NCACN_TCP" => "2103,2105,2107", - "DCERPC_BRIGHTSTORE" => "6503,6504", "DNP3_PORTS" => "20000", "MODBUS_PORTS" => "502" + "DCERPC_BRIGHTSTORE" => "6503,6504", "DNP3_PORTS" => "20000", "MODBUS_PORTS" => "502", + "GTP_PORTS" => "2123,2152,3386" ); $portvardef = ""; @@ -2002,6 +2003,10 @@ EOD; if ((!empty($snortcfg['server_flow_depth'])) || ($snortcfg['server_flow_depth'] == '0')) $def_server_flow_depth_type = $snortcfg['server_flow_depth']; + $http_server_profile = "all"; + if (!empty($snortcfg['http_server_profile'])) + $http_server_profile = $snortcfg['http_server_profile']; + $def_client_flow_depth_type = '300'; if ((!empty($snortcfg['client_flow_depth'])) || ($snortcfg['client_flow_depth'] == '0')) $def_client_flow_depth_type = $snortcfg['client_flow_depth']; @@ -2017,7 +2022,7 @@ EOD; # HTTP Inspect # preprocessor http_inspect: global iis_unicode_map unicode.map 1252 compress_depth 65535 decompress_depth 65535 -preprocessor http_inspect_server: server default profile all {$noalert_http_inspect}\ +preprocessor http_inspect_server: server default profile {$http_server_profile} {$noalert_http_inspect}\ ports { {$http_ports} } \ http_methods { GET POST PUT SEARCH MKCOL COPY MOVE LOCK UNLOCK NOTIFY POLL BCOPY BDELETE BMOVE LINK UNLINK OPTIONS HEAD DELETE TRACE TRACK CONNECT SOURCE SUBSCRIBE UNSUBSCRIBE PROPFIND PROPPATCH BPROPFIND BPROPPATCH RPC_CONNECT PROXY_SUCCESS BITS_POST CCM_POST SMS_POST RPC_IN_DATA RPC_OUT_DATA RPC_ECHO_DATA } \ server_flow_depth {$def_server_flow_depth_type} \ @@ -2219,6 +2224,14 @@ EOD; preprocessor modbus: \ ports { {$modbus_ports} } +EOD; + + /* def gtp_preprocessor */ + $gtp_ports = str_replace(",", " ", $snort_ports['GTP_PORTS']); + $gtp_preproc = << "dce2_preproc", "dns_preprocessor" => "dns_preproc", "ftp_preprocessor" => "ftptelnet_preproc", "imap_preproc" => "imap_preproc", "pop_preproc" => "pop_preproc", "reputation_preproc" => "reputation_preproc", "sensitive_data" => "sdf_preproc", - "sip_preproc" => "sip_preproc", "smtp_preprocessor" => "smtp_preproc", "ssh_preproc" => "ssh_preproc", + "sip_preproc" => "sip_preproc", "gtp_preproc" => "gtp_preproc", "smtp_preprocessor" => "smtp_preproc", "ssh_preproc" => "ssh_preproc", "ssl_preproc" => "ssl_preproc", "dnp3_preproc" => "dnp3_preproc", "modbus_preproc" => "modbus_preproc" ); $snort_preproc = array ( - "perform_stat", "http_inspect", "other_preprocs", "ftp_preprocessor", "smtp_preprocessor", "ssl_preproc", "sip_preproc", + "perform_stat", "http_inspect", "other_preprocs", "ftp_preprocessor", "smtp_preprocessor", "ssl_preproc", "sip_preproc", "gtp_preproc", "sf_portscan", "dce_rpc_2", "dns_preprocessor", "sensitive_data", "pop_preproc", "imap_preproc", "dnp3_preproc", "modbus_preproc" ); $snort_preprocessors = ""; @@ -2369,6 +2382,9 @@ config disable_tcpopt_alerts config disable_ipopt_alerts config disable_decode_drops +# Enable the GTP decoder # +config enable_gtp + # Configure PCRE match limitations config pcre_match_limit: 3500 config pcre_match_limit_recursion: 1500 diff --git a/config/snort/snort_define_servers.php b/config/snort/snort_define_servers.php index 3a12b284..4085b325 100755 --- a/config/snort/snort_define_servers.php +++ b/config/snort/snort_define_servers.php @@ -75,7 +75,7 @@ $snort_ports = array( "sip_ports" => "5060,5061", "auth_ports" => "113", "finger_ports" => "79", "irc_ports" => "6665,6666,6667,6668,6669,7000", "smb_ports" => "139,445", "nntp_ports" => "119", "rlogin_ports" => "513", "rsh_ports" => "514", -"ssl_ports" => "443,465,563,636,989,990,992,993,994,995", +"ssl_ports" => "443,465,563,636,989,990,992,993,994,995", "GTP_PORTS" => "2123,2152,3386", "file_data_ports" => "\$HTTP_PORTS,110,143", "shellcode_ports" => "!80", "sun_rpc_ports" => "111,32770,32771,32772,32773,32774,32775,32776,32777,32778,32779", "DCERPC_NCACN_IP_TCP" => "139,445", "DCERPC_NCADG_IP_UDP" => "138,1024:", diff --git a/config/snort/snort_preprocessors.php b/config/snort/snort_preprocessors.php index 83025929..7d0348e9 100755 --- a/config/snort/snort_preprocessors.php +++ b/config/snort/snort_preprocessors.php @@ -56,6 +56,7 @@ if (isset($id) && $a_nat[$id]) { /* new options */ $pconfig['perform_stat'] = $a_nat[$id]['perform_stat']; $pconfig['server_flow_depth'] = $a_nat[$id]['server_flow_depth']; + $pconfig['http_server_profile'] = $a_nat[$id]['http_server_profile']; $pconfig['client_flow_depth'] = $a_nat[$id]['client_flow_depth']; $pconfig['max_queued_bytes'] = $a_nat[$id]['max_queued_bytes']; $pconfig['max_queued_segs'] = $a_nat[$id]['max_queued_segs']; @@ -75,6 +76,7 @@ if (isset($id) && $a_nat[$id]) { $pconfig['sip_preproc'] = $a_nat[$id]['sip_preproc']; $pconfig['dnp3_preproc'] = $a_nat[$id]['dnp3_preproc']; $pconfig['modbus_preproc'] = $a_nat[$id]['modbus_preproc']; + $pconfig['gtp_preproc'] = $a_nat[$id]['gtp_preproc']; } if ($_POST) { @@ -88,6 +90,7 @@ if ($_POST) { if (!$input_errors) { /* post new options */ if ($_POST['server_flow_depth'] != "") { $natent['server_flow_depth'] = $_POST['server_flow_depth']; }else{ $natent['server_flow_depth'] = ""; } + if ($_POST['http_server_profile'] != "") { $natent['http_server_profile'] = $_POST['http_server_profile']; }else{ $natent['http_server_profile'] = "all"; } if ($_POST['client_flow_depth'] != "") { $natent['client_flow_depth'] = $_POST['client_flow_depth']; }else{ $natent['client_flow_depth'] = ""; } if ($_POST['max_queued_bytes'] != "") { $natent['max_queued_bytes'] = $_POST['max_queued_bytes']; }else{ $natent['max_queued_bytes'] = ""; } if ($_POST['max_queued_segs'] != "") { $natent['max_queued_segs'] = $_POST['max_queued_segs']; }else{ $natent['max_queued_segs'] = ""; } @@ -116,6 +119,7 @@ if ($_POST) { $natent['modbus_preproc'] = $_POST['modbus_preproc'] ? 'on' : 'off'; $natent['sip_preproc'] = $_POST['sip_preproc'] ? 'on' : 'off'; $natent['modbus_preproc'] = $_POST['modbus_preproc'] ? 'on' : 'off'; + $natent['gtp_preproc'] = $_POST['gtp_preproc'] ? 'on' : 'off'; if (isset($id) && $a_nat[$id]) $a_nat[$id] = $natent; @@ -221,7 +225,7 @@ include_once("head.inc"); -1 " . + value="">  -1 " . "to 65535 (-1 disables HTTP " . "inspect, 0 enables all HTTP inspect)"); ?> @@ -232,6 +236,23 @@ include_once("head.inc"); "are specified in bytes. Recommended setting is maximum (65535). Default value is 300"); ?>
+ + + +   
+ All. "); ?> + +
+ + @@ -348,7 +369,7 @@ include_once("head.inc");

- @@ -417,6 +438,15 @@ include_once("head.inc"); onClick="enable_change(false)">
+ +
+ + + onClick="enable_change(false)">
+ +
-- cgit v1.2.3