From a368d93cd9d13cef90fdaf505130106b151860ca Mon Sep 17 00:00:00 2001 From: Ermal Date: Sat, 14 Jul 2012 21:17:51 +0000 Subject: Use ports from the configuration that can be overriden than hardcoded ones --- config/snort/snort.inc | 73 +++++++++++++++++++----------------- config/snort/snort_preprocessors.php | 12 ------ 2 files changed, 39 insertions(+), 46 deletions(-) (limited to 'config') diff --git a/config/snort/snort.inc b/config/snort/snort.inc index f6181819..9fa3beab 100644 --- a/config/snort/snort.inc +++ b/config/snort/snort.inc @@ -1048,6 +1048,29 @@ function snort_generate_conf($snortcfg) { if(!empty($snortcfg['performance'])) $snort_performance = $snortcfg['performance']; + /* if user has defined a custom ssh port, use it */ + if(is_array($config['system']['ssh']) && isset($config['system']['ssh']['port'])) + $ssh_port = $config['system']['ssh']['port']; + else + $ssh_port = "22"; + $ports = array( + "dns_ports" => "53", "smtp_ports" => "25", "mail_ports" => "25,143,465,691", + "http_ports" => "80", "oracle_ports" => "1521", "mssql_ports" => "1433", + "telnet_ports" => "23","snmp_ports" => "161", "ftp_ports" => "21", + "ssh_ports" => $ssh_port, "pop2_ports" => "109", "pop3_ports" => "110", + "imap_ports" => "143", "sip_proxy_ports" => "5060:5090,16384:32768", + "sip_ports" => "5060:5090,16384:32768", "auth_ports" => "113", "finger_ports" => "79", + "irc_ports" => "6665,6666,6667,6668,6669,7000", "smb_ports" => "139,445", + "nntp_ports" => "119", "rlogin_ports" => "513", "rsh_ports" => "514", + "ssl_ports" => "443,465,563,636,989,990,992,993,994,995", + "file_data_ports" => "\$HTTP_PORTS,110,143", "shellcode_ports" => "!80", + "sun_rpc_ports" => "111,32770,32771,32772,32773,32774,32775,32776,32777,32778,32779", + "DCERPC_NCACN_IP_TCP" => "139,445", "DCERPC_NCADG_IP_UDP" => "138,1024:", + "DCERPC_NCACN_IP_LONG" => "135,139,445,593,1024:", "DCERPC_NCACN_UDP_LONG" => "135,1024:", + "DCERPC_NCACN_UDP_SHORT" => "135,593,1024:", "DCERPC_NCACN_TCP" => "2103,2105,2107", + "DCERPC_BRIGHTSTORE" => "6503,6504" + ); + ///////////////////////////// /* preprocessor code */ /* def perform_stat */ @@ -1061,13 +1084,14 @@ EOD; if (!empty($snortcfg['flow_depth'])) $def_flow_depth_type = $snortcfg['flow_depth']; + $http_ports = str_replace(",", " ", $ports['http_ports']); /* def http_inspect */ $http_inspect = << "64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24" ); - /* if user has defined a custom ssh port, use it */ - if(is_array($config['system']['ssh']) && isset($config['system']['ssh']['port'])) - $ssh_port = $config['system']['ssh']['port']; - else - $ssh_port = "22"; - $ports = array( - "dns_ports" => "53", "smtp_ports" => "25", "mail_ports" => "25,143,465,691", - "http_ports" => "80", "oracle_ports" => "1521", "mssql_ports" => "1433", - "telnet_ports" => "23","snmp_ports" => "161", "ftp_ports" => "21", - "ssh_ports" => $ssh_port, "pop2_ports" => "109", "pop3_ports" => "110", - "imap_ports" => "143", "sip_proxy_ports" => "5060:5090,16384:32768", - "sip_ports" => "5060:5090,16384:32768", "auth_ports" => "113", "finger_ports" => "79", - "irc_ports" => "6665,6666,6667,6668,6669,7000", "smb_ports" => "139,445", - "nntp_ports" => "119", "rlogin_ports" => "513", "rsh_ports" => "514", - "ssl_ports" => "443,465,563,636,989,990,992,993,994,995", - "ssl_ports_ignore" => "443,465,563,636,989,990,992,993,994,995", - "file_data_ports" => "\$HTTP_PORTS,110,143", "shellcode_ports" => "!80", - "sun_rpc_ports" => "111,32770,32771,32772,32773,32774,32775,32776,32777,32778,32779", - "DCERPC_NCACN_IP_TCP" => "139,445", "DCERPC_NCADG_IP_UDP" => "138,1024:", - "DCERPC_NCACN_IP_LONG" => "135,139,445,593,1024:", "DCERPC_NCACN_UDP_LONG" => "135,1024:", - "DCERPC_NCACN_UDP_SHORT" => "135,593,1024:", "DCERPC_NCACN_TCP" => "2103,2105,2107", - "DCERPC_BRIGHTSTORE" => "6503,6504" - ); - $vardef = ""; foreach ($servers as $alias => $avalue) { if (!empty($snortcfg[$alias])) @@ -1259,7 +1262,7 @@ EOD; $ports[$alias] = $snortcfg["def_{$alias}"]; $portvardef .= "portvar " . strtoupper($alias) . " [" . $ports[$alias] . "]\n"; } - $def_ssl_ports_ignore = str_replace(",", " ", $ports['ssl_ports_ignore']); + $def_ssl_ports_ignore = str_replace(",", " ", $ports['ssl_ports']); $snort_preproc = array ( "perform_stat", "http_inspect", "other_preprocs", "ftp_preprocessor", "smtp_preprocessor", @@ -1279,10 +1282,12 @@ EOD; $snort_misc_include_rules .= "include {$snortcfgdir}/reference.config\n"; if (file_exists("{$snortcfgdir}/classification.config")) $snort_misc_include_rules .= "include {$snortcfgdir}/classification.config\n"; - if (file_exists("{$snortdir}/preproc_rules/preprocessor.rules")) - $snort_misc_include_rules .= "include \$PREPROC_RULE_PATH/preprocessor.rules\n"; - if (file_exists("{$snortdir}/preproc_rules/decoder.rules")) - $snort_misc_include_rules .= "include \$PREPROC_RULE_PATH/decoder.rules\n"; + if (is_dir("{$snortdir}/preproc_rules")) { + foreach (glob("{$snortdir}/preproc_rules/*.rules") as $file) { + $file = basename($file); + $snort_misc_include_rules .= "include \$PREPROC_RULE_PATH/{$file}\n"; + } + } /* generate rule sections to load */ $selected_rules_sections = ""; diff --git a/config/snort/snort_preprocessors.php b/config/snort/snort_preprocessors.php index 29a1d7bb..339c0168 100644 --- a/config/snort/snort_preprocessors.php +++ b/config/snort/snort_preprocessors.php @@ -55,7 +55,6 @@ if (isset($id) && $a_nat[$id]) { /* new options */ $pconfig['perform_stat'] = $a_nat[$id]['perform_stat']; - $pconfig['ssl_ports_ignore'] = $a_nat[$id]['def_ssl_ports_ignore']; $pconfig['flow_depth'] = $a_nat[$id]['flow_depth']; $pconfig['max_queued_bytes'] = $a_nat[$id]['max_queued_bytes']; $pconfig['max_queued_segs'] = $a_nat[$id]['max_queued_segs']; @@ -75,7 +74,6 @@ if ($_POST) { /* if no errors write to conf */ if (!$input_errors) { /* post new options */ - if ($_POST['ssl_ports_ignore'] != "") { $natent['def_ssl_ports_ignore'] = $_POST['ssl_ports_ignore']; }else{ $natent['def_ssl_ports_ignore'] = ""; } if ($_POST['flow_depth'] != "") { $natent['flow_depth'] = $_POST['flow_depth']; }else{ $natent['flow_depth'] = ""; } if ($_POST['max_queued_bytes'] != "") { $natent['max_queued_bytes'] = $_POST['max_queued_bytes']; }else{ $natent['max_queued_bytes'] = ""; } if ($_POST['max_queued_segs'] != "") { $natent['max_queued_segs'] = $_POST['max_queued_segs']; }else{ $natent['max_queued_segs'] = ""; } @@ -300,16 +298,6 @@ include_once("head.inc"); The DNS preprocessor decodes DNS Response traffic and detects some vulnerabilities. - - Define SSL_IGNORE -
- Encrypted traffic should be ignored by Snort - for both performance reasons and to reduce false positives.
- Default: "443 465 563 636 989 990 992 993 994 995".
Please - use spaces and not commas. -   -- cgit v1.2.3