$v) { if (($v['interface'] == $_POST['interface']) && ($id <> $k)) { $input_errors[] = gettext("The '{$_POST['interface']}' interface is already assigned to another Snort instance."); break; } } } // If Snort is disabled on this interface, stop any running instance, // save the change, and exit. if ($_POST['enable'] != 'on') { $a_rule[$id]['enable'] = $_POST['enable'] ? 'on' : 'off'; touch("{$g['varrun_path']}/snort_{$a_rule[$id]['uuid']}.disabled"); touch("{$g['varrun_path']}/barnyard2_{$a_rule[$id]['uuid']}.disabled"); snort_stop($a_rule[$id], get_real_interface($a_rule[$id]['interface'])); write_config("Snort pkg: modified interface configuration for {$a_rule[$id]['interface']}."); $rebuild_rules = false; conf_mount_rw(); sync_snort_package_config(); conf_mount_ro(); header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . ' GMT' ); header( 'Cache-Control: no-store, no-cache, must-revalidate' ); header( 'Cache-Control: post-check=0, pre-check=0', false ); header( 'Pragma: no-cache' ); header("Location: /snort/snort_interfaces.php"); exit; } /* if no errors write to conf */ if (!$input_errors) { /* Most changes don't require a rules rebuild, so default to "off" */ $rebuild_rules = false; $natent = $a_rule[$id]; $natent['interface'] = $_POST['interface']; $natent['enable'] = $_POST['enable'] ? 'on' : 'off'; $natent['uuid'] = $pconfig['uuid']; /* See if the HOME_NET, EXTERNAL_NET, or SUPPRESS LIST values were changed */ $snort_reload = false; if ($_POST['homelistname'] && ($_POST['homelistname'] <> $natent['homelistname'])) $snort_reload = true; if ($_POST['externallistname'] && ($_POST['externallistname'] <> $natent['externallistname'])) $snort_reload = true; if ($_POST['suppresslistname'] && ($_POST['suppresslistname'] <> $natent['suppresslistname'])) $snort_reload = true; if ($_POST['descr']) $natent['descr'] = $_POST['descr']; else $natent['descr'] = convert_friendly_interface_to_friendly_descr($natent['interface']); if ($_POST['performance']) $natent['performance'] = $_POST['performance']; else unset($natent['performance']); /* if post = on use on off or rewrite the conf */ if ($_POST['blockoffenders7'] == "on") $natent['blockoffenders7'] = 'on'; else $natent['blockoffenders7'] = 'off'; if ($_POST['blockoffenderskill'] == "on") $natent['blockoffenderskill'] = 'on'; else unset($natent['blockoffenderskill']); if ($_POST['blockoffendersip']) $natent['blockoffendersip'] = $_POST['blockoffendersip']; else unset($natent['blockoffendersip']); if ($_POST['whitelistname']) $natent['whitelistname'] = $_POST['whitelistname']; else unset($natent['whitelistname']); if ($_POST['homelistname']) $natent['homelistname'] = $_POST['homelistname']; else unset($natent['homelistname']); if ($_POST['alert_log_limit']) $natent['alert_log_limit'] = $_POST['alert_log_limit']; else unset($natent['alert_log_limit']); if ($_POST['alert_log_retention']) $natent['alert_log_retention'] = $_POST['alert_log_retention']; else unset($natent['alert_log_retention']); if ($_POST['externallistname']) $natent['externallistname'] = $_POST['externallistname']; else unset($natent['externallistname']); if ($_POST['suppresslistname']) $natent['suppresslistname'] = $_POST['suppresslistname']; else unset($natent['suppresslistname']); if ($_POST['alertsystemlog'] == "on") { $natent['alertsystemlog'] = 'on'; }else{ $natent['alertsystemlog'] = 'off'; } if ($_POST['alertsystemlog_facility']) $natent['alertsystemlog_facility'] = $_POST['alertsystemlog_facility']; if ($_POST['alertsystemlog_priority']) $natent['alertsystemlog_priority'] = $_POST['alertsystemlog_priority']; if ($_POST['configpassthru']) $natent['configpassthru'] = base64_encode(str_replace("\r\n", "\n", $_POST['configpassthru'])); else unset($natent['configpassthru']); if ($_POST['cksumcheck']) $natent['cksumcheck'] = 'on'; else $natent['cksumcheck'] = 'off'; if ($_POST['fpm_split_any_any'] == "on") { $natent['fpm_split_any_any'] = 'on'; }else{ $natent['fpm_split_any_any'] = 'off'; } if ($_POST['fpm_search_optimize'] == "on") { $natent['fpm_search_optimize'] = 'on'; }else{ $natent['fpm_search_optimize'] = 'off'; } if ($_POST['fpm_no_stream_inserts'] == "on") { $natent['fpm_no_stream_inserts'] = 'on'; }else{ $natent['fpm_no_stream_inserts'] = 'off'; } $if_real = get_real_interface($natent['interface']); if (isset($id) && $a_rule[$id] && $action == '') { // See if moving an existing Snort instance to another physical interface if ($natent['interface'] != $a_rule[$id]['interface']) { $oif_real = get_real_interface($a_rule[$id]['interface']); if (snort_is_running($a_rule[$id]['uuid'], $oif_real)) { snort_stop($a_rule[$id], $oif_real); $snort_start = true; } else $snort_start = false; @rename("{$snortlogdir}/snort_{$oif_real}{$a_rule[$id]['uuid']}", "{$snortlogdir}/snort_{$if_real}{$a_rule[$id]['uuid']}"); conf_mount_rw(); @rename("{$snortdir}/snort_{$a_rule[$id]['uuid']}_{$oif_real}", "{$snortdir}/snort_{$a_rule[$id]['uuid']}_{$if_real}"); conf_mount_ro(); } $a_rule[$id] = $natent; } elseif (strcasecmp($action, 'dup') == 0) { // Duplicating a new interface, so set flag to build new rules $rebuild_rules = true; // Duplicating an interface, so need to generate a new UUID for the cloned interface $natent['uuid'] = snort_generate_id(); // Add the new duplicated interface configuration to the [rule] array in config $a_rule[] = $natent; } else { // Adding new interface, so set required interface configuration defaults $frag3_eng = array( "name" => "default", "bind_to" => "all", "policy" => "bsd", "timeout" => 60, "min_ttl" => 1, "detect_anomalies" => "on", "overlap_limit" => 0, "min_frag_len" => 0 ); $stream5_eng = array( "name" => "default", "bind_to" => "all", "policy" => "bsd", "timeout" => 30, "max_queued_bytes" => 1048576, "detect_anomalies" => "off", "overlap_limit" => 0, "max_queued_segs" => 2621, "require_3whs" => "off", "startup_3whs_timeout" => 0, "no_reassemble_async" => "off", "max_window" => 0, "use_static_footprint_sizes" => "off", "check_session_hijacking" => "off", "dont_store_lg_pkts" => "off", "ports_client" => "default", "ports_both" => "default", "ports_server" => "none" ); $http_eng = array( "name" => "default", "bind_to" => "all", "server_profile" => "all", "enable_xff" => "off", "log_uri" => "off", "log_hostname" => "off", "server_flow_depth" => 65535, "enable_cookie" => "on", "client_flow_depth" => 1460, "extended_response_inspection" => "on", "no_alerts" => "off", "unlimited_decompress" => "on", "inspect_gzip" => "on", "normalize_cookies" =>"on", "normalize_headers" => "on", "normalize_utf" => "on", "normalize_javascript" => "on", "allow_proxy_use" => "off", "inspect_uri_only" => "off", "max_javascript_whitespaces" => 200, "post_depth" => -1, "max_headers" => 0, "max_spaces" => 0, "max_header_length" => 0, "ports" => "default" ); $ftp_client_eng = array( "name" => "default", "bind_to" => "all", "max_resp_len" => 256, "telnet_cmds" => "no", "ignore_telnet_erase_cmds" => "yes", "bounce" => "yes", "bounce_to_net" => "", "bounce_to_port" => "" ); $ftp_server_eng = array( "name" => "default", "bind_to" => "all", "ports" => "default", "telnet_cmds" => "no", "ignore_telnet_erase_cmds" => "yes", "ignore_data_chan" => "no", "def_max_param_len" => 100 ); $natent['max_attribute_hosts'] = '10000'; $natent['max_attribute_services_per_host'] = '10'; $natent['max_paf'] = '16000'; $natent['ftp_preprocessor'] = 'on'; $natent['ftp_telnet_inspection_type'] = "stateful"; $natent['ftp_telnet_alert_encrypted'] = "off"; $natent['ftp_telnet_check_encrypted'] = "on"; $natent['ftp_telnet_normalize'] = "on"; $natent['ftp_telnet_detect_anomalies'] = "on"; $natent['ftp_telnet_ayt_attack_threshold'] = "20"; if (!is_array($natent['ftp_client_engine']['item'])) $natent['ftp_client_engine']['item'] = array(); $natent['ftp_client_engine']['item'][] = $ftp_client_eng; if (!is_array($natent['ftp_server_engine']['item'])) $natent['ftp_server_engine']['item'] = array(); $natent['ftp_server_engine']['item'][] = $ftp_server_eng; $natent['smtp_preprocessor'] = 'on'; $natent['smtp_memcap'] = "838860"; $natent['smtp_max_mime_mem'] = "838860"; $natent['smtp_b64_decode_depth'] = "0"; $natent['smtp_qp_decode_depth'] = "0"; $natent['smtp_bitenc_decode_depth'] = "0"; $natent['smtp_uu_decode_depth'] = "0"; $natent['smtp_email_hdrs_log_depth'] = "1464"; $natent['smtp_ignore_data'] = 'off'; $natent['smtp_ignore_tls_data'] = 'on'; $natent['smtp_log_mail_from'] = 'on'; $natent['smtp_log_rcpt_to'] = 'on'; $natent['smtp_log_filename'] = 'on'; $natent['smtp_log_email_hdrs'] = 'on'; $natent['dce_rpc_2'] = 'on'; $natent['dns_preprocessor'] = 'on'; $natent['ssl_preproc'] = 'on'; $natent['pop_preproc'] = 'on'; $natent['pop_memcap'] = "838860"; $natent['pop_b64_decode_depth'] = "0"; $natent['pop_qp_decode_depth'] = "0"; $natent['pop_bitenc_decode_depth'] = "0"; $natent['pop_uu_decode_depth'] = "0"; $natent['imap_preproc'] = 'on'; $natent['imap_memcap'] = "838860"; $natent['imap_b64_decode_depth'] = "0"; $natent['imap_qp_decode_depth'] = "0"; $natent['imap_bitenc_decode_depth'] = "0"; $natent['imap_uu_decode_depth'] = "0"; $natent['sip_preproc'] = 'on'; $natent['other_preprocs'] = 'on'; $natent['pscan_protocol'] = 'all'; $natent['pscan_type'] = 'all'; $natent['pscan_memcap'] = '10000000'; $natent['pscan_sense_level'] = 'medium'; $natent['http_inspect'] = "on"; $natent['http_inspect_proxy_alert'] = "off"; $natent['http_inspect_memcap'] = "150994944"; $natent['http_inspect_max_gzip_mem'] = "838860"; if (!is_array($natent['http_inspect_engine']['item'])) $natent['http_inspect_engine']['item'] = array(); $natent['http_inspect_engine']['item'][] = $http_eng; $natent['frag3_max_frags'] = '8192'; $natent['frag3_memcap'] = '4194304'; $natent['frag3_detection'] = 'on'; if (!is_array($natent['frag3_engine']['item'])) $natent['frag3_engine']['item'] = array(); $natent['frag3_engine']['item'][] = $frag3_eng; $natent['stream5_reassembly'] = 'on'; $natent['stream5_flush_on_alert'] = 'off'; $natent['stream5_prune_log_max'] = '1048576'; $natent['stream5_track_tcp'] = 'on'; $natent['stream5_max_tcp'] = '262144'; $natent['stream5_track_udp'] = 'on'; $natent['stream5_max_udp'] = '131072'; $natent['stream5_udp_timeout'] = '30'; $natent['stream5_track_icmp'] = 'off'; $natent['stream5_max_icmp'] = '65536'; $natent['stream5_icmp_timeout'] = '30'; $natent['stream5_mem_cap']= '8388608'; if (!is_array($natent['stream5_tcp_engine']['item'])) $natent['stream5_tcp_engine']['item'] = array(); $natent['stream5_tcp_engine']['item'][] = $stream5_eng; $natent['alertsystemlog_facility'] = "log_auth"; $natent['alertsystemlog_priority'] = "log_alert"; $a_rule[] = $natent; } /* If Snort is disabled on this interface, stop any running instance */ if ($natent['enable'] != 'on') snort_stop($natent, $if_real); /* Save configuration changes */ write_config("Snort pkg: modified interface configuration for {$natent['interface']}."); /* Update snort.conf and snort.sh files for this interface */ conf_mount_rw(); sync_snort_package_config(); conf_mount_ro(); /* See if we need to restart Snort after an interface re-assignment */ if ($snort_start == true) { snort_start($natent, $if_real); } /*******************************************************/ /* Signal Snort to reload configuration if we changed */ /* HOME_NET, EXTERNAL_NET or Suppress list values. */ /* The function only signals a running Snort instance */ /* to safely reload these parameters. */ /*******************************************************/ if ($snort_reload == true) snort_reload_config($natent, "SIGHUP"); header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . ' GMT' ); header( 'Cache-Control: no-store, no-cache, must-revalidate' ); header( 'Cache-Control: post-check=0, pre-check=0', false ); header( 'Pragma: no-cache' ); header("Location: /snort/snort_interfaces.php"); exit; } else $pconfig = $_POST; } $if_friendly = convert_friendly_interface_to_friendly_descr($a_rule[$id]['interface']); $pgtitle = gettext("Snort: Interface {$if_friendly} - Edit Settings"); include_once("head.inc"); ?>