From 0d7e8e94c0854145806e91e7ff82015bb1c30330 Mon Sep 17 00:00:00 2001
From: Marcello Coutinho <marcellocoutinho@gmail.com>
Date: Fri, 22 Nov 2013 01:35:55 -0200
Subject: snort - add multi select combo option for sensitive data preprocessor

---
 config/snort/snort.inc               | 12 +++++++++++-
 config/snort/snort_preprocessors.php | 24 ++++++++++++++++++++++++
 2 files changed, 35 insertions(+), 1 deletion(-)

(limited to 'config')

diff --git a/config/snort/snort.inc b/config/snort/snort.inc
index 1a6f1ac6..0573d5f4 100755
--- a/config/snort/snort.inc
+++ b/config/snort/snort.inc
@@ -3204,8 +3204,18 @@ EOD;
 	if (is_dir("{$snortcfgdir}/preproc_rules")) {
 		if ($snortcfg['sensitive_data'] == 'on' && $protect_preproc_rules == "off") {
 			$sedcmd = '/^#alert.*classtype:sdf/s/^#//';
-			if (file_exists("{$snortcfgdir}/preproc_rules/sensitive-data.rules"))
+			if (file_exists("{$snortcfgdir}/preproc_rules/sensitive-data.rules")){
 				$snort_misc_include_rules .= "include \$PREPROC_RULE_PATH/sensitive-data.rules\n";
+				#enable only selected sensitive data
+				if (file_exists(SNORTDIR."/preproc_rules/sensitive-data.rules")){
+					$sdf_alert_pattern="(".preg_replace("/,/","|",$snortcfg['sdf_alert_data_type']).")";
+					$sd_tmp_file=file(SNORTDIR."/preproc_rules/sensitive-data.rules");
+					$sd_tmp_new_file="";
+					foreach ($sd_tmp_file as $sd_tmp_line)
+						$sd_tmp_new_file.=preg_match("/$sdf_alert_pattern/i",$sd_tmp_line) ? $sd_tmp_line : "";
+					file_put_contents("{$snortcfgdir}/preproc_rules/sensitive-data.rules",$sd_tmp_new_file,LOCK_EX);
+				}
+			}
 		} else
 			$sedcmd = '/^alert.*classtype:sdf/s/^/#/';
 		if (file_exists("{$snortcfgdir}/preproc_rules/decoder.rules") &&
diff --git a/config/snort/snort_preprocessors.php b/config/snort/snort_preprocessors.php
index 98a0b106..c6546b6f 100755
--- a/config/snort/snort_preprocessors.php
+++ b/config/snort/snort_preprocessors.php
@@ -100,6 +100,7 @@ if (isset($id) && $a_nat[$id]) {
 	$pconfig['dce_rpc_2'] = $a_nat[$id]['dce_rpc_2'];
 	$pconfig['dns_preprocessor'] = $a_nat[$id]['dns_preprocessor'];
 	$pconfig['sensitive_data'] = $a_nat[$id]['sensitive_data'];
+	$pconfig['sdf_alert_data_type'] = $a_nat[$id]['sdf_alert_data_type'];
 	$pconfig['sdf_alert_threshold'] = $a_nat[$id]['sdf_alert_threshold'];
 	$pconfig['sdf_mask_output'] = $a_nat[$id]['sdf_mask_output'];
 	$pconfig['ssl_preproc'] = $a_nat[$id]['ssl_preproc'];
@@ -410,6 +411,7 @@ if ($_POST['ResetAll']) {
 	$pconfig['dce_rpc_2'] = "on";
 	$pconfig['dns_preprocessor'] = "on";
 	$pconfig['sensitive_data'] = "off";
+	$pconfig['sdf_alert_data_type'] = "";
 	$pconfig['sdf_alert_threshold'] = "25";
 	$pconfig['sdf_mask_output'] = "off";
 	$pconfig['ssl_preproc'] = "on";
@@ -437,6 +439,8 @@ elseif ($_POST['Submit']) {
 	if ($_POST['sensitive_data'] == 'on') {
 		if ($_POST['sdf_alert_threshold'] < 1 || $_POST['sdf_alert_threshold'] > 4294067295)
 			$input_errors[] = gettext("The value for Sensitive_Data_Alert_Threshold must be between 1 and 4,294,067,295.");
+		if (empty($_POST['sdf_alert_data_type']))
+			$input_errors[] = gettext("You must select at least one item to Inspect for while Sensitive data Detections is enabled.");
 	}
 
 	/* if no errors write to conf */
@@ -480,6 +484,8 @@ elseif ($_POST['Submit']) {
 		$natent['dce_rpc_2'] = $_POST['dce_rpc_2'] ? 'on' : 'off';
 		$natent['dns_preprocessor'] = $_POST['dns_preprocessor'] ? 'on' : 'off';
 		$natent['sensitive_data'] = $_POST['sensitive_data'] ? 'on' : 'off';
+		$natent['sdf_alert_data_type'] = implode(",",$_POST['sdf_alert_data_type']);
+		$natent['sdf_alert_threshold'] = $_POST['sdf_alert_threshold'];
 		$natent['sdf_mask_output'] = $_POST['sdf_mask_output'] ? 'on' : 'off';
 		$natent['ssl_preproc'] = $_POST['ssl_preproc'] ? 'on' : 'off';
 		$natent['pop_preproc'] = $_POST['pop_preproc'] ? 'on' : 'off';
@@ -1247,6 +1253,7 @@ include_once("head.inc");
 			</select>&nbsp;&nbsp;<?php echo gettext("Choose to operate in stateful or stateless mode.  Default is ") . 
 			"<strong>" . gettext("stateful") . "</strong>."; ?><br/>
 		</td>
+		</tr>
 	<tr id="ftp_telnet_row_encrypted_check">
 		<td width="22%" valign="top" class="vncell"><?php echo gettext("Check Encrypted Traffic"); ?></td>
 		<td width="78%" class="vtable"><input name="ftp_telnet_check_encrypted" type="checkbox" value="on" 
@@ -1393,6 +1400,20 @@ include_once("head.inc");
 		"<a href=\"/snort/snort_interfaces_global.php\" title=\"" . gettext("Modify Snort global settings") . "\"/>" . gettext("Global Settings") . "</a>" . gettext(" tab."); ?>
 		</td>
 	</tr>
+	<tr id="sdf_alert_data_row">
+		<td width="22%" valign="top" class="vncell"><?php echo gettext("Inspection for"); ?> </td>
+		<td width="78%" class="vtable">
+			<select name="sdf_alert_data_type[]" class="formselect" id="sdf_alert_data_type" size="4" multiple="multiple"> 
+			<?php
+			$values = array('Credit Card', 'Email Addresses', 'U.S. Phone Numbers', 'U.S. Social Security Numbers');
+			foreach ($values as $val): ?>
+			<option value="<?=$val;?>"
+			<?php if (preg_match("/$val/",$pconfig['sdf_alert_data_type'])) echo "selected"; ?>> 
+				<?=gettext($val);?></option>
+				<?php endforeach; ?>
+			</select><br><?php echo gettext("Choose what type of sensitive alerts to detect.").$pconfig['sdf_alert_data_type']; ?><br/>
+		</td>
+		</tr>
 	<tr id="sdf_alert_threshold_row">
 		<td width="22%" valign="top" class="vncell"><?php echo gettext("Alert Threshold"); ?></td>
 		<td width="78%" class="vtable"><input name="sdf_alert_threshold" type="text" class="formfld unknown" id="sdf_alert_threshold" size="9" value="<?=htmlspecialchars($pconfig['sdf_alert_threshold']);?>">
@@ -1789,10 +1810,13 @@ function sensitive_data_enable_change() {
 	if (endis) {
 		document.getElementById("sdf_alert_threshold_row").style.display="none";
 		document.getElementById("sdf_mask_output_row").style.display="none";
+		document.getElementById("sdf_alert_data_type").style.display="none";
+		
 	}
 	else {
 		document.getElementById("sdf_alert_threshold_row").style.display="table-row";
 		document.getElementById("sdf_mask_output_row").style.display="table-row";
+		document.getElementById("sdf_alert_data_type").style.display="table-row";
 	}
 }
 
-- 
cgit v1.2.3