From 39eda8d18af808aed889f05faa8a54cc2370381d Mon Sep 17 00:00:00 2001
From: bmeeks8 <bmeeks8@bellsouth.net>
Date: Tue, 10 Nov 2015 19:32:07 -0500
Subject: Add support for decompress_swf and decompress_pdf HTTP_INSPECT
 options.

---
 config/snort/snort_generate_conf.php      |  6 +++++-
 config/snort/snort_httpinspect_engine.php | 28 ++++++++++++++++++++++++++--
 config/snort/snort_interfaces_edit.php    |  5 +++--
 config/snort/snort_migrate_config.php     |  3 ++-
 4 files changed, 36 insertions(+), 6 deletions(-)

(limited to 'config')

diff --git a/config/snort/snort_generate_conf.php b/config/snort/snort_generate_conf.php
index 646697bf..6780da0a 100644
--- a/config/snort/snort_generate_conf.php
+++ b/config/snort/snort_generate_conf.php
@@ -1291,7 +1291,7 @@ $http_inspect_default_engine = array( "name" => "default", "bind_to" => "all", "
 				      "unlimited_decompress" => "on", "inspect_gzip" => "on", "normalize_cookies" =>"on", "normalize_headers" => "on", 
 				      "normalize_utf" => "on", "normalize_javascript" => "on", "allow_proxy_use" => "off", "inspect_uri_only" => "off", 
 				      "max_javascript_whitespaces" => 200, "post_depth" => -1, "max_headers" => 0, "max_spaces" => 0, 
-				      "max_header_length" => 0, "ports" => "default" );
+				      "max_header_length" => 0, "ports" => "default", "decompress_swf" => "off", "decompress_pdf" => "off" );
 $http_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['http_ports']));
 $http_inspect_servers = "";
 
@@ -1385,6 +1385,10 @@ if ($snortcfg['http_inspect'] <> "off") {
 			$http_inspect_servers .= " \\\n\tlog_uri";
 		if ($v['log_hostname'] == "on")
 			$http_inspect_servers .= " \\\n\tlog_hostname";
+		if ($v['decompress_swf'] == "on")
+			$http_inspect_servers .= " \\\n\tdecompress_swf";
+		if ($v['decompress_pdf'] == "on")
+			$http_inspect_servers .= " \\\n\tdecompress_pdf";
 
 		// Add a pair of trailing newlines to terminate this server config
 		$http_inspect_servers .= "\n\n";
diff --git a/config/snort/snort_httpinspect_engine.php b/config/snort/snort_httpinspect_engine.php
index c7680892..15d70f09 100644
--- a/config/snort/snort_httpinspect_engine.php
+++ b/config/snort/snort_httpinspect_engine.php
@@ -1,7 +1,7 @@
 <?php
 /*
  * snort_httpinspect_engine.php
- * Copyright (C) 2013-2014 Bill Meeks
+ * Copyright (C) 2013-2015 Bill Meeks
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -66,7 +66,7 @@ if (empty($a_nat[$eng_id])) {
 		      "unlimited_decompress" => "on", "inspect_gzip" => "on", "normalize_cookies" =>"on", "normalize_headers" => "on", 
 		      "normalize_utf" => "on", "normalize_javascript" => "on", "allow_proxy_use" => "off", "inspect_uri_only" => "off", 
 		      "max_javascript_whitespaces" => 200, "post_depth" => -1, "max_headers" => 0, "max_spaces" => 0, 
-		      "max_header_length" => 0, "ports" => "default" );
+		      "max_header_length" => 0, "ports" => "default", "decompress_swf" => "off", "decompress_pdf" => "off" );
 	// See if this is initial entry and set to "default" if true
 	if ($eng_id < 1) {
 		$def['name'] = "default";
@@ -124,6 +124,10 @@ else {
 		$pconfig['max_spaces'] = 0;
 	if (empty($pconfig['max_header_length']))
 		$pconfig['max_header_length'] = 0;
+	if (empty($pconfig['decompress_swf']))
+		$pconfig['decompress_swf'] = "off";
+	if (empty($pconfig['decompress_pdf']))
+		$pconfig['decompress_pdf'] = "off";
 }
 
 if ($_POST['Cancel']) {
@@ -259,6 +263,8 @@ if ($_POST['save']) {
 	$engine['normalize_javascript'] = $_POST['httpinspect_normalize_javascript'] ? 'on' : 'off';
 	$engine['allow_proxy_use'] = $_POST['httpinspect_allow_proxy_use'] ? 'on' : 'off';
 	$engine['inspect_uri_only'] = $_POST['httpinspect_inspect_uri_only'] ? 'on' : 'off';
+	$engine['decompress_swf'] = $_POST['httpinspect_decompress_swf'] ? 'on' : 'off';
+	$engine['decompress_pdf'] = $_POST['httpinspect_decompress_pdf'] ? 'on' : 'off';
 
 	// Can only have one "all" Bind_To address
 	if ($engine['bind_to'] == "all" && $engine['name'] <> "default") {
@@ -527,6 +533,24 @@ if ($savemsg)
 			<?php echo gettext("Decompress unlimited gzip data (across multiple packets). Default is ");?> 
 			<strong><?php echo gettext("Checked");?></strong>.</td>
 	</tr>
+	<tr>
+		<td width="22%" valign="top" class="vncell"><?php echo gettext("Decompress SWF");?></td>
+		<td width="78%" class="vtable"><input name="httpinspect_decompress_swf" 
+			type="checkbox" value="on" id="httpinspect_decompress_swf" 
+			<?php if ($pconfig['decompress_swf']=="on") echo "checked";?>>
+			<?php echo gettext("Uncompress and inspect Shockwave Flash data in HTTP response. " .
+				"Default is ");?>
+			<strong><?php echo gettext("Not Checked");?></strong>.</td>
+	</tr>
+	<tr>
+		<td width="22%" valign="top" class="vncell"><?php echo gettext("Decompress PDF");?></td>
+		<td width="78%" class="vtable"><input name="httpinspect_decompress_pdf" 
+			type="checkbox" value="on" id="httpinspect_decompress_pdf" 
+			<?php if ($pconfig['decompress_pdf']=="on") echo "checked";?>>
+			<?php echo gettext("Uncompress and inspect PDF data in HTTP response. " .
+				"Default is ");?>
+			<strong><?php echo gettext("Not Checked");?></strong>.</td>
+	</tr>
 	<tr>
 		<td width="22%" valign="top" class="vncell"><?php echo gettext("Normalize Cookies");?></td>
 		<td width="78%" class="vtable"><input name="httpinspect_normalize_cookies" 
diff --git a/config/snort/snort_interfaces_edit.php b/config/snort/snort_interfaces_edit.php
index 0d41c7db..41864a4f 100755
--- a/config/snort/snort_interfaces_edit.php
+++ b/config/snort/snort_interfaces_edit.php
@@ -4,7 +4,7 @@
  *
  * Copyright (C) 2008-2009 Robert Zelaya.
  * Copyright (C) 2011-2012 Ermal Luci
- * Copyright (C) 2014 Bill Meeks
+ * Copyright (C) 2015 Bill Meeks
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -269,7 +269,8 @@ if ($_POST["save"] && !$input_errors) {
 					   "unlimited_decompress" => "on", "inspect_gzip" => "on", "normalize_cookies" =>"on", 
 					   "normalize_headers" => "on", "normalize_utf" => "on", "normalize_javascript" => "on", 
 					   "allow_proxy_use" => "off", "inspect_uri_only" => "off", "max_javascript_whitespaces" => 200,
-					   "post_depth" => -1, "max_headers" => 0, "max_spaces" => 0, "max_header_length" => 0, "ports" => "default" );
+					   "post_depth" => -1, "max_headers" => 0, "max_spaces" => 0, "max_header_length" => 0, "ports" => "default",
+					   "decompress_swf" => "off", "decompress_pdf" => "off" );
 
 			$ftp_client_eng = array( "name" => "default", "bind_to" => "all", "max_resp_len" => 256, 
 						 "telnet_cmds" => "no", "ignore_telnet_erase_cmds" => "yes", 
diff --git a/config/snort/snort_migrate_config.php b/config/snort/snort_migrate_config.php
index edcbb2d5..a0cf24fe 100644
--- a/config/snort/snort_migrate_config.php
+++ b/config/snort/snort_migrate_config.php
@@ -254,7 +254,8 @@ foreach ($rule as &$r) {
 				"unlimited_decompress" => "on", "inspect_gzip" => "on", "normalize_cookies" =>"on", 
 				"normalize_headers" => "on", "normalize_utf" => "on", "normalize_javascript" => "on", 
 				"allow_proxy_use" => "off", "inspect_uri_only" => "off", "max_javascript_whitespaces" => 200,
-				"post_depth" => -1, "max_headers" => 0, "max_spaces" => 0, "max_header_length" => 0, "ports" => "default" );
+				"post_depth" => -1, "max_headers" => 0, "max_spaces" => 0, "max_header_length" => 0, "ports" => "default",
+				"decompress_swf" => "off", "decompress_pdf" => "off" );
 
 		// Ensure sensible default values exist for global HTTP_INSPECT parameters
 		if (empty($pconfig['http_inspect']))
-- 
cgit v1.2.3