"engine_{$eng_id}", "bind_to" => "", "server_profile" => "all", "enable_xff" => "off", "log_uri" => "off", "log_hostname" => "off", "server_flow_depth" => 65535, "enable_cookie" => "on", "client_flow_depth" => 1460, "extended_response_inspection" => "on", "no_alerts" => "off", "unlimited_decompress" => "on", "inspect_gzip" => "on", "normalize_cookies" =>"on", "normalize_headers" => "on", "normalize_utf" => "on", "normalize_javascript" => "on", "allow_proxy_use" => "off", "inspect_uri_only" => "off", "max_javascript_whitespaces" => 200, "post_depth" => -1, "max_headers" => 0, "max_spaces" => 0, "max_header_length" => 0, "ports" => "default", "decompress_swf" => "off", "decompress_pdf" => "off" ); // See if this is initial entry and set to "default" if true if ($eng_id < 1) { $def['name'] = "default"; $def['bind_to'] = "all"; } $pconfig = $def; } else { $pconfig = $a_nat[$eng_id]; // Check for any empty values and set sensible defaults if (empty($pconfig['ports'])) $pconfig['ports'] = "default"; if (empty($pconfig['server_profile'])) $pconfig['server_profile'] = "all"; if (empty($pconfig['enable_xff'])) $pconfig['enable_xff'] = "off"; if (empty($pconfig['log_uri'])) $pconfig['log_uri'] = "off"; if (empty($pconfig['log_hostname'])) $pconfig['log_hostname'] = "off"; if (empty($pconfig['server_flow_depth']) && $pconfig['server_flow_depth'] <> 0) $pconfig['server_flow_depth'] = 65535; if (empty($pconfig['enable_cookie'])) $pconfig['enable_cookie'] = "on"; if (empty($pconfig['client_flow_depth']) && $pconfig['client_flow_depth'] <> 0) $pconfig['client_flow_depth'] = 1460; if (empty($pconfig['extended_response_inspection'])) $pconfig['extended_response_inspection'] = "on"; if (empty($pconfig['no_alerts'])) $pconfig['no_alerts'] = "off"; if (empty($pconfig['unlimited_decompress'])) $pconfig['unlimited_decompress'] = "on"; if (empty($pconfig['inspect_gzip'])) $pconfig['inspect_gzip'] = "on"; if (empty($pconfig['normalize_cookies'])) $pconfig['normalize_cookies'] = "on"; if (empty($pconfig['normalize_headers'])) $pconfig['normalize_headers'] = "on"; if (empty($pconfig['normalize_utf'])) $pconfig['normalize_utf'] = "on"; if (empty($pconfig['normalize_javascript'])) $pconfig['normalize_javascript'] = "on"; if (empty($pconfig['allow_proxy_use'])) $pconfig['allow_proxy_use'] = "off"; if (empty($pconfig['inspect_uri_only'])) $pconfig['inspect_uri_only'] = "off"; if (empty($pconfig['max_javascript_whitespaces']) && $pconfig['max_javascript_whitespaces'] <> 0) $pconfig['max_javascript_whitespaces'] = 200; if (empty($pconfig['post_depth']) && $pconfig['post_depth'] <> 0) $pconfig['post_depth'] = -1; if (empty($pconfig['max_headers'])) $pconfig['max_headers'] = 0; if (empty($pconfig['max_spaces'])) $pconfig['max_spaces'] = 0; if (empty($pconfig['max_header_length'])) $pconfig['max_header_length'] = 0; if (empty($pconfig['decompress_swf'])) $pconfig['decompress_swf'] = "off"; if (empty($pconfig['decompress_pdf'])) $pconfig['decompress_pdf'] = "off"; } if ($_POST['Cancel']) { // Clear and close out any session variable we created session_start(); unset($_SESSION['http_inspect_import']); session_write_close(); header("Location: /snort/snort_preprocessors.php?id={$id}#httpinspect_row"); exit; } // Check for returned "selected alias" if action is import if ($_GET['act'] == "import") { session_start(); if (($_GET['varname'] == "bind_to" || $_GET['varname'] == "ports") && !empty($_GET['varvalue'])) { $pconfig[$_GET['varname']] = htmlspecialchars($_GET['varvalue']); $_SESSION['http_inspect_import'] = array(); $_SESSION['http_inspect_import'][$_GET['varname']] = $_GET['varvalue']; if (isset($_SESSION['http_inspect_import']['bind_to'])) $pconfig['bind_to'] = $_SESSION['http_inspect_import']['bind_to']; if (isset($_SESSION['http_inspect_import']['ports'])) $pconfig['ports'] = $_SESSION['http_inspect_import']['ports']; } // If "varvalue" is empty, user likely hit CANCEL in Select Dialog, // so restore any saved values. elseif (empty($_GET['varvalue'])) { if (isset($_SESSION['http_inspect_import']['bind_to'])) $pconfig['bind_to'] = $_SESSION['http_inspect_import']['bind_to']; if (isset($_SESSION['http_inspect_import']['ports'])) $pconfig['ports'] = $_SESSION['http_inspect_import']['ports']; } else { unset($_SESSION['http_inspect_import']); session_write_close(); } } if ($_POST['save']) { // Clear and close out any session variable we created session_start(); unset($_SESSION['http_inspect_import']); session_write_close(); // Grab all the POST values and save in new temp array $engine = array(); if ($_POST['httpinspect_name']) { $engine['name'] = trim($_POST['httpinspect_name']); } else { $engine['name'] = "default"; } if ($_POST['httpinspect_bind_to']) { if (is_alias($_POST['httpinspect_bind_to'])) $engine['bind_to'] = $_POST['httpinspect_bind_to']; elseif (strtolower(trim($_POST['httpinspect_bind_to'])) == "all") $engine['bind_to'] = "all"; else $input_errors[] = gettext("You must provide a valid Alias or the reserved keyword 'all' for the 'Bind-To IP Address' value."); } else { $input_errors[] = gettext("The 'Bind-To IP Address' value cannot be blank. Provide a valid Alias or the reserved keyword 'all'."); } if ($_POST['httpinspect_ports']) { $engine['ports'] = trim($_POST['httpinspect_ports']); } else { $engine['ports'] = "default"; } // Validate the text input fields before saving if (!empty($_POST['httpinspect_server_flow_depth']) || $_POST['httpinspect_server_flow_depth'] == 0) { $engine['server_flow_depth'] = $_POST['httpinspect_server_flow_depth']; if (!is_numeric($_POST['httpinspect_server_flow_depth']) || $_POST['httpinspect_server_flow_depth'] < -1 || $_POST['httpinspect_server_flow_depth'] > 65535) $input_errors[] = gettext("The value for Server_Flow_Depth must be numeric and between -1 and 65535."); } else $engine['server_flow_depth'] = 65535; if (!empty($_POST['httpinspect_client_flow_depth']) || $_POST['httpinspect_client_flow_depth'] == 0) { $engine['client_flow_depth'] = $_POST['httpinspect_client_flow_depth']; if (!is_numeric($_POST['httpinspect_client_flow_depth']) || $_POST['httpinspect_client_flow_depth'] < -1 || $_POST['httpinspect_client_flow_depth'] > 1460) $input_errors[] = gettext("The value for Client_Flow_Depth must be between -1 and 1460."); } else $engine['client_flow_depth'] = 1460; if (!empty($_POST['httpinspect_max_javascript_whitespaces']) || $_POST['httpinspect_max_javascript_whitespaces'] == 0) { $engine['max_javascript_whitespaces'] = $_POST['httpinspect_max_javascript_whitespaces']; if (!is_numeric($_POST['httpinspect_max_javascript_whitespaces']) || $_POST['httpinspect_max_javascript_whitespaces'] < 0 || $_POST['httpinspect_max_javascript_whitespaces'] > 65535) $input_errors[] = gettext("The value for Max_Javascript_Whitespaces must be between 0 and 65535."); } else $engine['max_javascript_whitespaces'] = 200; if (!empty($_POST['httpinspect_post_depth']) || $_POST['httpinspect_post_depth'] == 0) { $engine['post_depth'] = $_POST['httpinspect_post_depth']; if (!is_numeric($_POST['httpinspect_post_depth']) || $_POST['httpinspect_post_depth'] < -1 || $_POST['httpinspect_post_depth'] > 65495) $input_errors[] = gettext("The value for Post_Depth must be between -1 and 65495."); } else $engine['post_depth'] = -1; if (!empty($_POST['httpinspect_max_headers']) || $_POST['httpinspect_max_headers'] == 0) { $engine['max_headers'] = $_POST['httpinspect_max_headers']; if (!is_numeric($_POST['httpinspect_max_headers']) || $_POST['httpinspect_max_headers'] < 0 || $_POST['httpinspect_max_headers'] > 65535) $input_errors[] = gettext("The value for Max_Headers must be between 0 and 65535."); } else $engine['max_headers'] = 0; if (!empty($_POST['httpinspect_max_spaces']) || $_POST['httpinspect_max_spaces'] == 0) { $engine['max_spaces'] = $_POST['httpinspect_max_spaces']; if (!is_numeric($_POST['httpinspect_max_spaces']) || $_POST['httpinspect_max_spaces'] < 0 || $_POST['httpinspect_max_spaces'] > 65535) $input_errors[] = gettext("The value for Max_Spaces must be between 0 and 65535."); } else $engine['max_spaces'] = 0; if (!empty($_POST['httpinspect_max_header_length']) || $_POST['httpinspect_max_header_length'] == 0) { $engine['max_header_length'] = $_POST['httpinspect_max_header_length']; if (!is_numeric($_POST['httpinspect_max_header_length']) || $_POST['httpinspect_max_header_length'] < 0 || $_POST['httpinspect_max_header_length'] > 65535) $input_errors[] = gettext("The value for Max_Header_Length must be between 0 and 65535."); } else $engine['max_header_length'] = 0; if ($_POST['httpinspect_server_profile']) { $engine['server_profile'] = $_POST['httpinspect_server_profile']; } else { $engine['server_profile'] = "all"; } $engine['no_alerts'] = $_POST['httpinspect_no_alerts'] ? 'on' : 'off'; $engine['enable_xff'] = $_POST['httpinspect_enable_xff'] ? 'on' : 'off'; $engine['log_uri'] = $_POST['httpinspect_log_uri'] ? 'on' : 'off'; $engine['log_hostname'] = $_POST['httpinspect_log_hostname'] ? 'on' : 'off'; $engine['extended_response_inspection'] = $_POST['httpinspect_extended_response_inspection'] ? 'on' : 'off'; $engine['enable_cookie'] = $_POST['httpinspect_enable_cookie'] ? 'on' : 'off'; $engine['unlimited_decompress'] = $_POST['httpinspect_unlimited_decompress'] ? 'on' : 'off'; $engine['inspect_gzip'] = $_POST['httpinspect_inspect_gzip'] ? 'on' : 'off'; $engine['normalize_cookies'] = $_POST['httpinspect_normalize_cookies'] ? 'on' : 'off'; $engine['normalize_headers'] = $_POST['httpinspect_normalize_headers'] ? 'on' : 'off'; $engine['normalize_utf'] = $_POST['httpinspect_normalize_utf'] ? 'on' : 'off'; $engine['normalize_javascript'] = $_POST['httpinspect_normalize_javascript'] ? 'on' : 'off'; $engine['allow_proxy_use'] = $_POST['httpinspect_allow_proxy_use'] ? 'on' : 'off'; $engine['inspect_uri_only'] = $_POST['httpinspect_inspect_uri_only'] ? 'on' : 'off'; $engine['decompress_swf'] = $_POST['httpinspect_decompress_swf'] ? 'on' : 'off'; $engine['decompress_pdf'] = $_POST['httpinspect_decompress_pdf'] ? 'on' : 'off'; // Can only have one "all" Bind_To address if ($engine['bind_to'] == "all" && $engine['name'] <> "default") { $input_errors[] = gettext("Only one default http_inspect Engine can be bound to all addresses."); $pconfig = $engine; } // if no errors, write new entry to conf if (!$input_errors) { if (isset($eng_id) && $a_nat[$eng_id]) { $a_nat[$eng_id] = $engine; } else $a_nat[] = $engine; // Reorder the engine array to ensure the // 'bind_to=all' entry is at the bottom // if it contains more than one entry. if (count($a_nat) > 1) { $i = -1; foreach ($a_nat as $f => $v) { if ($v['bind_to'] == "all") { $i = $f; break; } } /* Only relocate the entry if we */ /* found it, and it's not already */ /* at the end. */ if ($i > -1 && ($i < (count($a_nat) - 1))) { $tmp = $a_nat[$i]; unset($a_nat[$i]); $a_nat[] = $tmp; } } // Now write the new engine array to conf write_config("Snort pkg: modified http_inspect engine settings."); // We have saved a preproc config change, so set "dirty" flag mark_subsystem_dirty('snort_preprocessors'); header("Location: /snort/snort_preprocessors.php?id={$id}#httpinspect_row"); exit; } } $if_friendly = convert_friendly_interface_to_friendly_descr($config['installedpackages']['snortglobal']['rule'][$id]['interface']); $pgtitle = gettext("Snort: {$if_friendly} - HTTP_Inspect Preprocessor Engine"); include_once("head.inc"); ?>
"default") echo gettext("Name or description for this engine. (Max 25 characters)"); else echo "" . gettext("The name for the 'default' engine is read-only.") . "";?>
" . gettext("default") . ""; ?>.
"default") : ?>
  "/>

" . gettext("Supplied value must be a pre-configured Alias or the keyword 'all'.");?>   " . gettext("IP List for the default engine is read-only and must be 'all'.") . "";?>
"/>
" . gettext("'default'. ") . "";?> " . gettext("VARIABLES") . "" . gettext(" tab. Specific ports for this server can be specified here using a pre-defined Alias.");?>

" . gettext("Supplied value must be a pre-configured Alias or the keyword 'default'.");?>
  " . gettext("All") . "";?>
> .
> .

" . gettext("This prevents proxy alerts for this server. The global option Proxy_Alert must also be " . "enabled, otherwise this setting does nothing.");?>
> .
> .
> .
> .
> .

" . gettext("If this option is used without any uricontent rules, then no inspection will take place. " . "The URI is only inspected with uricontent rules, and if there are none available, then there is nothing to inspect.");?>
> .
> .
" . gettext("1") . "" . gettext(" and maximum is ") . "" . gettext("65535") . "" . gettext(" (") . "" . gettext("0") . "" . gettext(" disables this alert). "). gettext("The default value is ") . "" . gettext("200") . "."?>
> .
> .
> .
> .
> .
> .
> .
 " . gettext(" to ") . "" . gettext("65535") . " " . gettext("(") . "" . gettext("-1") . "" . gettext(" disables HTTP inspect, ") . "" . gettext("0") . "" . gettext(" enables all HTTP inspect).");?>

" . gettext("65535") . ".";?>
 " . gettext(" to ") . "" . gettext("1460") . "" . gettext(" (") . "" . gettext("-1") . "" . gettext(" disables HTTP inspect, ") . "" . gettext("0") . "" . gettext(" enables all HTTP inspect).");?>

" . gettext("1460") . ".";?>
 " . gettext(" to ") . "" . gettext("65495") . "" . gettext(" (") . "" . gettext("-1") . "" . gettext(" ignores all post data, ") . "" . gettext("0") . "" . gettext(" inspects all post data).");?>

" . gettext("-1") . ".";?>
 " . gettext(" to ") . "" . gettext("1024") . "" . gettext(" (") . "" . gettext("0") . "" . gettext(" disables the alert).");?>

" . gettext("0") . ".";?>
 " . gettext(" to ") . "" . gettext("65535") . "" . gettext(" (") . "" . gettext("0") . "" . gettext(" disables the alert).");?>

" . gettext("0") . ".";?>
 " . gettext(" to ") . "" . gettext("65535") . "" . gettext(" (") . "" . gettext("0") . "" . gettext(" disables the alert).");?>

" . gettext("0") . ".";?>
  ">      ">