From 7cac4afd3f3da453b186ffdc1d0a166125162a82 Mon Sep 17 00:00:00 2001
From: robiscool <robrob2626@yahoo.com>
Date: Tue, 16 Jun 2009 06:27:27 -0700
Subject: this ones for you mcrane, added custom pfsense rules auto updates,
 add voip rulles for freeswitch

---
 config/snort/pfsense_rules/pfsense-voip.rules      |  3 -
 .../snort/pfsense_rules/pfsense_rules.tar.gz.md5   |  1 +
 .../snort/pfsense_rules/rules/pfsense-voip.rules   | 11 +++
 config/snort/snort.inc                             |  2 +
 config/snort/snort_download_rules.php              | 89 ++++++++++++++++++++--
 5 files changed, 96 insertions(+), 10 deletions(-)
 delete mode 100644 config/snort/pfsense_rules/pfsense-voip.rules
 create mode 100644 config/snort/pfsense_rules/pfsense_rules.tar.gz.md5
 create mode 100644 config/snort/pfsense_rules/rules/pfsense-voip.rules

(limited to 'config')

diff --git a/config/snort/pfsense_rules/pfsense-voip.rules b/config/snort/pfsense_rules/pfsense-voip.rules
deleted file mode 100644
index f168403d..00000000
--- a/config/snort/pfsense_rules/pfsense-voip.rules
+++ /dev/null
@@ -1,3 +0,0 @@
-alert ip any any -> $HOME_NET $SIP_PROXY_PORTS (msg:"OPTIONS SIP scan"; content:"OPTIONS"; depth:7; threshold: type both , track by_src, count 30, seconds 3; sid:5000004; rev:1;)
-alert ip any any -> $SIP_PROXY_IP $SIP_PROXY_PORTS (msg:"Excessive number of SIP 4xx Responses - possible user or password guessing attack"; pcre:"/^SIP\/2.0 4\d{2}"; threshold: type both, track by_src, count 100, seconds 60; sid:5000009; rev:1;)
-alert ip any any -> $SIP_PROXY_IP $SIP_PROXY_PORTS (msg:"Ghost call attack"; content:"SIP/2.0 180"; depth:11; threshold: type both, track by_src, count 100, seconds 60; sid:5000009; rev:1;)
diff --git a/config/snort/pfsense_rules/pfsense_rules.tar.gz.md5 b/config/snort/pfsense_rules/pfsense_rules.tar.gz.md5
new file mode 100644
index 00000000..97a55e1d
--- /dev/null
+++ b/config/snort/pfsense_rules/pfsense_rules.tar.gz.md5
@@ -0,0 +1 @@
+101
\ No newline at end of file
diff --git a/config/snort/pfsense_rules/rules/pfsense-voip.rules b/config/snort/pfsense_rules/rules/pfsense-voip.rules
new file mode 100644
index 00000000..3142c0b6
--- /dev/null
+++ b/config/snort/pfsense_rules/rules/pfsense-voip.rules
@@ -0,0 +1,11 @@
+alert ip any any -> $HOME_NET $SIP_PROXY_PORTS (msg:"OPTIONS SIP scan"; content:"OPTIONS"; depth:7; threshold: type both , track by_src, count 30, seconds 3; sid:5000004; rev:1;)
+# Excessive number of SIP 4xx Responses Does not work
+#### alert ip any any -> $SIP_PROXY_IP $SIP_PROXY_PORTS (msg:"Excessive number of SIP 4xx Responses - possible user or password guessing attack"; pcre:"/^SIP\/2.0 4\d{2}"; threshold: type both, track by_src, count 100, seconds 60; sid:5000008; rev:1;)
+alert ip any any -> $SIP_PROXY_IP $SIP_PROXY_PORTS (msg:"Ghost call attack"; content:"SIP/2.0 180"; depth:11; threshold: type both, track by_src, count 100, seconds 60; sid:5000009; rev:1;)
+
+# Rule for alerting of INVITE flood attack:
+alert ip any any -> $SIP_PROXY_IP $SIP_PROXY_PORTS (msg:"INVITE message flooding"; content:"INVITE"; depth:6; threshold: type both , track by_src, count 100, seconds 60; sid:5000002; rev:1;)
+# Rule for alerting of REGISTER flood attack:
+alert ip any any -> $SIP_PROXY_IP $SIP_PROXY_PORTS (msg:"REGISTER message flooding"; content:"REGISTER"; depth:8; threshold: type both , track by_src, count 100, seconds 60; sid:5000005; rev:1;)
+# Threshold rule for unauthorized responses:
+alert ip any any -> $SIP_PROXY_IP $SIP_PROXY_PORTS (msg:"INVITE message flooding"; content:"SIP/2.0 401 Unauthorized"; depth:24; threshold: type both, track by_src, count 100, seconds 60; sid:5000008; rev:1;)
diff --git a/config/snort/snort.inc b/config/snort/snort.inc
index 7c3b3622..750e1a7c 100755
--- a/config/snort/snort.inc
+++ b/config/snort/snort.inc
@@ -412,6 +412,7 @@ var POP_SERVERS \$HOME_NET
 var IMAP_SERVERS \$HOME_NET
 var RPC_SERVERS \$HOME_NET
 var WWW_SERVERS \$HOME_NET
+var SIP_PROXY_IP \$HOME_NET
 var AIM_SERVERS \
 [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
 
@@ -444,6 +445,7 @@ portvar SSH_PORTS {$ssh_port}
 portvar TELNET_PORTS 23
 portvar MAIL_PORTS [25,143,465,691]
 portvar SSL_PORTS [25,443,465,636,993,995]
+portvar SIP_PROXY_PORTS [5060]
 
 # DCERPC NCACN-IP-TCP
 portvar DCERPC_NCACN_IP_TCP [139,445]
diff --git a/config/snort/snort_download_rules.php b/config/snort/snort_download_rules.php
index 077e8d72..cb3fdd87 100644
--- a/config/snort/snort_download_rules.php
+++ b/config/snort/snort_download_rules.php
@@ -34,6 +34,8 @@ $snort_filename_md5 = "snortrules-snapshot-2.8.tar.gz.md5";
 $snort_filename = "snortrules-snapshot-2.8.tar.gz";
 $emergingthreats_filename_md5 = "version.txt";
 $emergingthreats_filename = "emerging.rules.tar.gz";
+$pfsense_rules_filename_md5 = "pfsense_rules.tar.gz.md5";
+$pfsense_rules_filename = "pfsense_rules.tar.gz";
 
 require_once("guiconfig.inc");
 require_once("functions.inc");
@@ -204,6 +206,20 @@ if ($emergingthreats_url_chk == on) {
     update_status(gettext("Done. downloading md5"));
 }
 
+/*  download md5 sig from pfsense.org */
+if (file_exists("{$tmpfname}/{$pfsense_rules_filename_md5}")) {
+    update_status(gettext("md5 temp file exists..."));
+} else {
+    update_status(gettext("Downloading pfsense md5 file..."));
+    ini_set('user_agent','Mozilla/4.0 (compatible; MSIE 6.0)');
+    $image = @file_get_contents("http://www.pfsense.com/packages/config/snort/pfsense_rules/pfsense_rules.tar.gz.md5");
+//    $image = @file_get_contents("http://www.mtest.local/pub-bin/oinkmaster.cgi/{$oinkid}/pfsense_rules.tar.gz.md5");
+    $f = fopen("{$tmpfname}/pfsense_rules.tar.gz.md5", 'w');
+    fwrite($f, $image);
+    fclose($f);
+    update_status(gettext("Done. downloading md5"));
+}
+
 /*  Time stamps define */
 $last_md5_download = $config['installedpackages']['snort']['last_md5_download'];
 $last_rules_install = $config['installedpackages']['snort']['last_rules_install'];
@@ -235,6 +251,18 @@ if (0 == filesize("{$tmpfname}/version.txt")){
   }
 }
 
+/* If pfsense md5 file is empty wait 15min exit */
+if (0 == filesize("{$tmpfname}/$pfsense_rules_filename_md5")){
+    update_status(gettext("Please wait... You may only check for New Pfsense Rules every 15 minutes..."));
+    update_output_window(gettext("Rules are released to support Pfsense packages."));
+    hide_progress_bar_status();
+    /* Display last time of sucsessful md5 check from cache */
+    echo "\n<p align=center><b>You last checked for updates: </b>{$last_md5_download}</p>\n";
+    echo "\n<p align=center><b>You last installed for rules: </b>{$last_rules_install}</p>\n";
+    echo "\n\n</body>\n</html>\n";
+    exit(0);
+}
+
 /* Check if were up to date snort.org */
 if (file_exists("{$snortdir}/snortrules-snapshot-2.8.tar.gz.md5")){
 $md5_check_new_parse = file_get_contents("{$tmpfname}/{$snort_filename_md5}");
@@ -280,6 +308,17 @@ if ($emerg_md5_check_new == $emerg_md5_check_old) {
   }
 }
 
+/* Check if were up to date pfsense.org */
+if (file_exists("{$snortdir}/$pfsense_rules_filename_md5")){
+$pfsense_md5_check_new_parse = file_get_contents("{$tmpfname}/{$snort_filename_md5}");
+$pfsense_md5_check_new = `/bin/echo "{$pfsense_md5_check_new_parse}" | /usr/bin/awk '{ print $1 }'`;
+$pfsense_md5_check_old_parse = file_get_contents("{$snortdir}/{$snort_filename_md5}");
+$pfsense_md5_check_old = `/bin/echo "{$md5_check_old_parse}" | /usr/bin/awk '{ print $1 }'`;
+if ($pfsense_md5_check_new == $pfsense_md5_check_old) {
+        $pfsense_md5_check_ok = on;
+    }
+}
+
 /*  Make Clean Snort Directory emergingthreats not checked */
 if ($snort_md5_check_ok == on && $emergingthreats_url_chk != on) {
 	update_status(gettext("Cleaning the snort Directory..."));
@@ -290,13 +329,13 @@ if ($snort_md5_check_ok == on && $emergingthreats_url_chk != on) {
 }
 
 /* Check if were up to date exits */
-if ($snort_md5_check_ok == on && $emerg_md5_check_chk_ok == on) {
+if ($snort_md5_check_ok == on && $emerg_md5_check_chk_ok == on && $pfsense_md5_check_ok == on) {
 		update_status(gettext("Your rules are up to date..."));
 		update_output_window(gettext("You may start Snort now..."));
 		exit(0);
 }
 
-if ($snort_md5_check_ok == on && $emergingthreats_url_chk != on) {
+if ($snort_md5_check_ok == on && $pfsense_md5_check_ok == on && $emergingthreats_url_chk != on) {
 		update_status(gettext("Your rules are up to date..."));
 		update_output_window(gettext("You may start Snort now..."));
 		exit(0);
@@ -318,7 +357,7 @@ if (file_exists("{$tmpfname}/{$snort_filename}")) {
     update_status(gettext("There is a new set of Snort rules posted. Downloading..."));
     update_output_window(gettext("May take 4 to 10 min..."));
 //    download_file_with_progress_bar("http://www.mtest.local/pub-bin/oinkmaster.cgi/{$oinkid}/snortrules-snapshot-2.8{$premium_subscriber}.tar.gz", $tmpfname . "/{$snort_filename}", "read_body_firmware");
-   download_file_with_progress_bar("http://dl.snort.org/{$premium_url}/snortrules-snapshot-2.8{$premium_subscriber}.tar.gz?oink_code={$oinkid}", $tmpfname . "/{$snort_filename}", "read_body_firmware");
+    download_file_with_progress_bar("http://dl.snort.org/{$premium_url}/snortrules-snapshot-2.8{$premium_subscriber}.tar.gz?oink_code={$oinkid}", $tmpfname . "/{$snort_filename}", "read_body_firmware");
     update_all_status($static_output);
     update_status(gettext("Done downloading rules file."));
  }
@@ -340,6 +379,21 @@ if (file_exists("{$tmpfname}/{$emergingthreats_filename}")) {
   }
  }
 
+/* download pfsense rules file */
+if ($pfsense_md5_check_ok != on) {
+if (file_exists("{$tmpfname}/{$pfsense_rules_filename}")) {
+    update_status(gettext("Snortrule tar file exists..."));
+} else {
+	unhide_progress_bar_status();
+    update_status(gettext("There is a new set of Pfsense rules posted. Downloading..."));
+    update_output_window(gettext("May take 4 to 10 min..."));
+//    download_file_with_progress_bar("http://www.mtest.local/pub-bin/oinkmaster.cgi/{$oinkid}/pfsense_rules.tar.gz", $tmpfname . "/{$pfsense_rules_filename}", "read_body_firmware");
+    download_file_with_progress_bar("http://www.pfsense.com/packages/config/snort/pfsense_rules/pfsense_rules.tar.gz", $tmpfname . "/{$pfsense_rules_filename}", "read_body_firmware");
+    update_all_status($static_output);
+    update_status(gettext("Done downloading rules file."));
+ }
+}
+
 /* Compair md5 sig to file sig */
 
 //$premium_url_chk = $config['installedpackages']['snort']['config'][0]['subscriber'];
@@ -409,10 +463,19 @@ if (file_exists("{$tmpfname}/{$emergingthreats_filename}")) {
  }
 }
 
+/* Untar Pfsense rules to tmp */
+if ($pfsense_md5_check_ok != on) {
+if (file_exists("{$tmpfname}/{$pfsense_rules_filename}")) {
+    update_status(gettext("Extracting Pfsense rules..."));
+    update_output_window(gettext("May take a while..."));
+    exec("/usr/bin/tar xzf {$tmpfname}/{$pfsense_rules_filename} -C {$tmpfname} rules/");
+ }
+}
+
 /* Untar snort signatures */
 if ($snort_md5_check_ok != on) {
 if (file_exists("{$tmpfname}/{$snort_filename}")) {
-$signature_info_chk = $config['installedpackages']['snort']['config'][0]['signatureinfo'];
+$signature_info_chk = $config['installedpackages']['snortadvanced']['config'][0]['signatureinfo'];
 if ($premium_url_chk == on) {
 	update_status(gettext("Extracting Signatures..."));
 	update_output_window(gettext("May take a while..."));
@@ -423,7 +486,7 @@ if ($premium_url_chk == on) {
 }
 
 /*  Make Clean Snort Directory */
-if ($snort_md5_check_ok != on && $emerg_md5_check_chk_ok != on) {
+if ($snort_md5_check_ok != on && $emerg_md5_check_chk_ok != on && $pfsense_md5_check_ok != on) {
 if (file_exists("{$snortdir}/rules")) {
     update_status(gettext("Cleaning the snort Directory..."));
     update_output_window(gettext("removing..."));
@@ -440,8 +503,8 @@ if (file_exists("{$snortdir}/rules")) {
   }
 }
 
-/*  Copy snort rules  and emergingthreats dir to snort dir */
-if ($snort_md5_check_ok != on || $emerg_md5_check_chk_ok != on) {
+/*  Copy snort rules  and emergingthreats and pfsense dir to snort dir */
+if ($snort_md5_check_ok != on || $emerg_md5_check_chk_ok != on || $pfsense_md5_check_ok != on) {
 if (file_exists("{$tmpfname}/rules")) {
     update_status(gettext("Copying rules..."));
     update_output_window(gettext("May take a while..."));
@@ -483,6 +546,18 @@ if (file_exists("{$tmpfname}/$emergingthreats_filename_md5")) {
  }
 }
 
+/*  Copy Pfsense md5 sig to snort dir */
+if ($pfsense_md5_check_ok != on) {
+if (file_exists("{$tmpfname}/$pfsense_rules_filename_md5")) {
+    update_status(gettext("Copying Pfsense md5 sig to snort directory..."));
+    exec("/bin/cp {$tmpfname}/$pfsense_rules_filename_md5 {$snortdir}/$pfsense_rules_filename_md5");
+} else {
+    update_status(gettext("The Pfsense md5 file does not exist..."));
+    update_output_window(gettext("Error copping config..."));
+    exit(0);
+ }
+}
+
 /*  Copy configs to snort dir */
 if ($snort_md5_check_ok != on) {
 if (file_exists("{$tmpfname}/etc/Makefile.am")) {
-- 
cgit v1.2.3