. * Copyright (C) 2008-2009 Robert Zelaya. * Copyright (C) 2011-2012 Ermal Luci * Copyright (C) 2013, 2014 Bill Meeks * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions are met: * * 1. Redistributions of source code must retain the above copyright notice, * this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE * POSSIBILITY OF SUCH DAMAGE. */ require_once("guiconfig.inc"); require_once("/usr/local/pkg/snort/snort.inc"); global $g, $rebuild_rules; $snortlogdir = SNORTLOGDIR; if (isset($_POST['id']) && is_numericint($_POST['id'])) $id = $_POST['id']; elseif (isset($_GET['id']) && is_numericint($_GET['id'])) $id = htmlspecialchars($_GET['id']); if (is_null($id)) { header("Location: /snort/snort_interfaces.php"); exit; } if (!is_array($config['installedpackages']['snortglobal'])) $config['installedpackages']['snortglobal'] = array(); if (!is_array($config['installedpackages']['snortglobal']['rule'])) $config['installedpackages']['snortglobal']['rule'] = array(); // Initialize multiple config engine arrays for supported preprocessors if necessary if (!is_array($config['installedpackages']['snortglobal']['rule'][$id]['frag3_engine']['item'])) $config['installedpackages']['snortglobal']['rule'][$id]['frag3_engine']['item'] = array(); if (!is_array($config['installedpackages']['snortglobal']['rule'][$id]['stream5_tcp_engine']['item'])) $config['installedpackages']['snortglobal']['rule'][$id]['stream5_tcp_engine']['item'] = array(); if (!is_array($config['installedpackages']['snortglobal']['rule'][$id]['http_inspect_engine']['item'])) $config['installedpackages']['snortglobal']['rule'][$id]['http_inspect_engine']['item'] = array(); if (!is_array($config['installedpackages']['snortglobal']['rule'][$id]['ftp_server_engine']['item'])) $config['installedpackages']['snortglobal']['rule'][$id]['ftp_server_engine']['item'] = array(); if (!is_array($config['installedpackages']['snortglobal']['rule'][$id]['ftp_client_engine']['item'])) $config['installedpackages']['snortglobal']['rule'][$id]['ftp_client_engine']['item'] = array(); $a_nat = &$config['installedpackages']['snortglobal']['rule']; $vrt_enabled = $config['installedpackages']['snortglobal']['snortdownload']; // Calculate the "next engine ID" to use for the multi-config engine arrays $frag3_engine_next_id = count($a_nat[$id]['frag3_engine']['item']); $stream5_tcp_engine_next_id = count($a_nat[$id]['stream5_tcp_engine']['item']); $http_inspect_engine_next_id = count($a_nat[$id]['http_inspect_engine']['item']); $ftp_server_engine_next_id = count($a_nat[$id]['ftp_server_engine']['item']); $ftp_client_engine_next_id = count($a_nat[$id]['ftp_client_engine']['item']); $pconfig = array(); if (isset($id) && isset($a_nat[$id])) { $pconfig = $a_nat[$id]; // Initialize multiple config engine arrays for supported preprocessors if necessary if (!is_array($pconfig['frag3_engine']['item'])) $pconfig['frag3_engine']['item'] = array(); if (!is_array($pconfig['stream5_tcp_engine']['item'])) $pconfig['stream5_tcp_engine']['item'] = array(); if (!is_array($pconfig['http_inspect_engine']['item'])) $pconfig['http_inspect_engine']['item'] = array(); if (!is_array($pconfig['ftp_server_engine']['item'])) $pconfig['ftp_server_engine']['item'] = array(); if (!is_array($pconfig['ftp_client_engine']['item'])) $pconfig['ftp_client_engine']['item'] = array(); /************************************************************/ /* To keep new users from shooting themselves in the foot */ /* enable the most common required preprocessors by default */ /* and set reasonable values for any options. */ /************************************************************/ if (empty($pconfig['max_attribute_hosts'])) $pconfig['max_attribute_hosts'] = '10000'; if (empty($pconfig['max_attribute_services_per_host'])) $pconfig['max_attribute_services_per_host'] = '10'; if (empty($pconfig['max_paf']) && $pconfig['max_paf'] <> 0) $pconfig['max_paf'] = '16000'; if (empty($pconfig['ftp_preprocessor'])) $pconfig['ftp_preprocessor'] = 'on'; if (empty($pconfig['ftp_telnet_inspection_type'])) $pconfig['ftp_telnet_inspection_type'] = 'stateful'; if (empty($pconfig['ftp_telnet_alert_encrypted'])) $pconfig['ftp_telnet_alert_encrypted'] = 'off'; if (empty($pconfig['ftp_telnet_check_encrypted'])) $pconfig['ftp_telnet_check_encrypted'] = 'on'; if (empty($pconfig['ftp_telnet_normalize'])) $pconfig['ftp_telnet_normalize'] = 'on'; if (empty($pconfig['ftp_telnet_detect_anomalies'])) $pconfig['ftp_telnet_detect_anomalies'] = 'on'; if (empty($pconfig['ftp_telnet_ayt_attack_threshold']) && $pconfig['ftp_telnet_ayt_attack_threshold'] <> 0) $pconfig['ftp_telnet_ayt_attack_threshold'] = '20'; if (empty($pconfig['sdf_alert_data_type'])) $pconfig['sdf_alert_data_type'] = "Credit Card,Email Addresses,U.S. Phone Numbers,U.S. Social Security Numbers"; if (empty($pconfig['sdf_alert_threshold'])) $pconfig['sdf_alert_threshold'] = '25'; if (empty($pconfig['sdf_mask_output'])) $pconfig['sdf_mask_output'] = 'off'; if (empty($pconfig['smtp_preprocessor'])) $pconfig['smtp_preprocessor'] = 'on'; if (empty($pconfig['smtp_memcap'])) $pconfig['smtp_memcap'] = "838860"; if (empty($pconfig['smtp_max_mime_mem'])) $pconfig['smtp_max_mime_mem'] = "838860"; if (empty($pconfig['smtp_b64_decode_depth'])) $pconfig['smtp_b64_decode_depth'] = "0"; if (empty($pconfig['smtp_qp_decode_depth'])) $pconfig['smtp_qp_decode_depth'] = "0"; if (empty($pconfig['smtp_bitenc_decode_depth'])) $pconfig['smtp_bitenc_decode_depth'] = "0"; if (empty($pconfig['smtp_uu_decode_depth'])) $pconfig['smtp_uu_decode_depth'] = "0"; if (empty($pconfig['smtp_email_hdrs_log_depth']) && $pconfig['smtp_email_hdrs_log_depth'] != '0') $pconfig['smtp_email_hdrs_log_depth'] = "1464"; if (empty($pconfig['smtp_ignore_tls_data'])) $pconfig['smtp_ignore_tls_data'] = 'on'; if (empty($pconfig['smtp_log_mail_from'])) $pconfig['smtp_log_mail_from'] = 'on'; if (empty($pconfig['smtp_log_rcpt_to'])) $pconfig['smtp_log_rcpt_to'] = 'on'; if (empty($pconfig['smtp_log_filename'])) $pconfig['smtp_log_filename'] = 'on'; if (empty($pconfig['smtp_log_email_hdrs'])) $pconfig['smtp_log_email_hdrs'] = 'on'; if (empty($pconfig['dce_rpc_2'])) $pconfig['dce_rpc_2'] = 'on'; if (empty($pconfig['dns_preprocessor'])) $pconfig['dns_preprocessor'] = 'on'; if (empty($pconfig['ssl_preproc'])) $pconfig['ssl_preproc'] = 'on'; if (empty($pconfig['pop_preproc'])) $pconfig['pop_preproc'] = 'on'; if (empty($pconfig['pop_memcap'])) $pconfig['pop_memcap'] = "838860"; if (empty($pconfig['pop_b64_decode_depth'])) $pconfig['pop_b64_decode_depth'] = "0"; if (empty($pconfig['pop_qp_decode_depth'])) $pconfig['pop_qp_decode_depth'] = "0"; if (empty($pconfig['pop_bitenc_decode_depth'])) $pconfig['pop_bitenc_decode_depth'] = "0"; if (empty($pconfig['pop_uu_decode_depth'])) $pconfig['pop_uu_decode_depth'] = "0"; if (empty($pconfig['imap_preproc'])) $pconfig['imap_preproc'] = 'on'; if (empty($pconfig['imap_memcap'])) $pconfig['imap_memcap'] = "838860"; if (empty($pconfig['imap_b64_decode_depth'])) $pconfig['imap_b64_decode_depth'] = "0"; if (empty($pconfig['imap_qp_decode_depth'])) $pconfig['imap_qp_decode_depth'] = "0"; if (empty($pconfig['imap_bitenc_decode_depth'])) $pconfig['imap_bitenc_decode_depth'] = "0"; if (empty($pconfig['imap_uu_decode_depth'])) $pconfig['imap_uu_decode_depth'] = "0"; if (empty($pconfig['sip_preproc'])) $pconfig['sip_preproc'] = 'on'; if (empty($pconfig['other_preprocs'])) $pconfig['other_preprocs'] = 'on'; if (empty($pconfig['ssh_preproc'])) $pconfig['ssh_preproc'] = 'on'; if (empty($pconfig['http_inspect'])) $pconfig['http_inspect'] = "on"; if (empty($pconfig['http_inspect_proxy_alert'])) $pconfig['http_inspect_proxy_alert'] = "off"; if (empty($pconfig['http_inspect_memcap'])) $pconfig['http_inspect_memcap'] = "150994944"; if (empty($pconfig['http_inspect_max_gzip_mem'])) $pconfig['http_inspect_max_gzip_mem'] = "838860"; if (empty($pconfig['frag3_max_frags'])) $pconfig['frag3_max_frags'] = '8192'; if (empty($pconfig['frag3_memcap'])) $pconfig['frag3_memcap'] = '4194304'; if (empty($pconfig['frag3_detection'])) $pconfig['frag3_detection'] = 'on'; if (empty($pconfig['stream5_reassembly'])) $pconfig['stream5_reassembly'] = 'on'; if (empty($pconfig['stream5_flush_on_alert'])) $pconfig['stream5_flush_on_alert'] = 'off'; if (empty($pconfig['stream5_prune_log_max']) && $pconfig['stream5_prune_log_max'] <> 0) $pconfig['stream5_prune_log_max'] = '1048576'; if (empty($pconfig['stream5_track_tcp'])) $pconfig['stream5_track_tcp'] = 'on'; if (empty($pconfig['stream5_max_tcp'])) $pconfig['stream5_max_tcp'] = '262144'; if (empty($pconfig['stream5_track_udp'])) $pconfig['stream5_track_udp'] = 'on'; if (empty($pconfig['stream5_max_udp'])) $pconfig['stream5_max_udp'] = '131072'; if (empty($pconfig['stream5_udp_timeout'])) $pconfig['stream5_udp_timeout'] = '30'; if (empty($pconfig['stream5_track_icmp'])) $pconfig['stream5_track_icmp'] = 'off'; if (empty($pconfig['stream5_max_icmp'])) $pconfig['stream5_max_icmp'] = '65536'; if (empty($pconfig['stream5_icmp_timeout'])) $pconfig['stream5_icmp_timeout'] = '30'; if (empty($pconfig['stream5_mem_cap'])) $pconfig['stream5_mem_cap']= '8388608'; if (empty($pconfig['pscan_protocol'])) $pconfig['pscan_protocol'] = 'all'; if (empty($pconfig['pscan_type'])) $pconfig['pscan_type'] = 'all'; if (empty($pconfig['pscan_memcap'])) $pconfig['pscan_memcap'] = '10000000'; if (empty($pconfig['pscan_sense_level'])) $pconfig['pscan_sense_level'] = 'medium'; } $if_friendly = convert_friendly_interface_to_friendly_descr($a_nat[$id]['interface']); /* Define the "disabled_preproc_rules.log" file for this interface */ $disabled_rules_log = "{$if_friendly}_disabled_preproc_rules.log"; // Check for returned "selected alias" if action is import if ($_GET['act'] == "import" && isset($_GET['varname']) && !empty($_GET['varvalue'])) { // Retrieve previously typed values we passed to SELECT ALIAS page $pconfig['sf_portscan'] = htmlspecialchars($_GET['sf_portscan'])? 'on' : 'off'; $pconfig['pscan_ignore_scanners'] = htmlspecialchars($_GET['pscan_ignore_scanners']); $pconfig['pscan_protocol'] = htmlspecialchars($_GET['pscan_protocol']); $pconfig['pscan_type'] = htmlspecialchars($_GET['pscan_type']); $pconfig['pscan_memcap'] = htmlspecialchars($_GET['pscan_memcap']); $pconfig['pscan_sense_level'] = htmlspecialchars($_GET['pscan_sense_level']); // Now retrieve the "selected alias" returned from SELECT ALIAS page $pconfig[$_GET['varname']] = htmlspecialchars($_GET['varvalue']); // We have made a preproc config change, so set "dirty" flag mark_subsystem_dirty('snort_preprocessors'); } // Handle deleting of any of the multiple configuration engines if ($_POST['del_http_inspect']) { if (isset($_POST['eng_id']) && isset($id) && isset($a_nat[$id])) { unset($a_nat[$id]['http_inspect_engine']['item'][$_POST['eng_id']]); write_config("Snort pkg: deleted http_inspect engine for {$a_nat[$id]['interface']}."); header("Location: snort_preprocessors.php?id=$id#httpinspect_row"); exit; } } elseif ($_POST['del_frag3']) { if (isset($_POST['eng_id']) && isset($id) && isset($a_nat[$id])) { unset($a_nat[$id]['frag3_engine']['item'][$_POST['eng_id']]); write_config("Snort pkg: deleted frag3 engine for {$a_nat[$id]['interface']}."); header("Location: snort_preprocessors.php?id=$id#frag3_row"); exit; } } elseif ($_POST['del_stream5_tcp']) { if (isset($_POST['eng_id']) && isset($id) && isset($a_nat[$id])) { unset($a_nat[$id]['stream5_tcp_engine']['item'][$_POST['eng_id']]); write_config("Snort pkg: deleted stream5 engine for {$a_nat[$id]['interface']}."); header("Location: snort_preprocessors.php?id=$id#stream5_row"); exit; } } elseif ($_POST['del_ftp_client']) { if (isset($_POST['eng_id']) && isset($id) && isset($a_nat[$id])) { unset($a_nat[$id]['ftp_client_engine']['item'][$_POST['eng_id']]); write_config("Snort pkg: deleted ftp_client engine for {$a_nat[$id]['interface']}."); header("Location: snort_preprocessors.php?id=$id#ftp_telnet_row"); exit; } } elseif ($_POST['del_ftp_server']) { if (isset($_POST['eng_id']) && isset($id) && isset($a_nat[$id])) { unset($a_nat[$id]['ftp_server_engine']['item'][$_POST['eng_id']]); write_config("Snort pkg: deleted ftp_server engine for {$a_nat[$id]['interface']}."); header("Location: snort_preprocessors.php?id=$id#ftp_telnet_row"); exit; } } if ($_POST['ResetAll']) { /* Reset all the preprocessor settings to defaults */ $pconfig['perform_stat'] = "off"; $pconfig['host_attribute_table'] = "off"; $pconfig['max_attribute_hosts'] = '10000'; $pconfig['max_attribute_services_per_host'] = '10'; $pconfig['max_paf'] = '16000'; $pconfig['stream5_reassembly'] = "on"; $pconfig['stream5_flush_on_alert'] = 'off'; $pconfig['stream5_prune_log_max'] = '1048576'; $pconfig['stream5_track_tcp'] = "on"; $pconfig['stream5_max_tcp'] = "262144"; $pconfig['stream5_track_udp'] = "on"; $pconfig['stream5_max_udp'] = "131072"; $pconfig['stream5_track_icmp'] = "off"; $pconfig['stream5_max_icmp'] = "65536"; $pconfig['stream5_mem_cap'] = "8388608"; $pconfig['stream5_udp_timeout'] = "30"; $pconfig['stream5_icmp_timeout'] = "30"; $pconfig['http_inspect'] = "on"; $pconfig['http_inspect_proxy_alert'] = "off"; $pconfig['http_inspect_memcap'] = "150994944"; $pconfig['http_inspect_max_gzip_mem'] = "838860"; $pconfig['other_preprocs'] = "on"; $pconfig['ftp_preprocessor'] = "on"; $pconfig['ftp_telnet_inspection_type'] = "stateful"; $pconfig['ftp_telnet_alert_encrypted'] = "off"; $pconfig['ftp_telnet_check_encrypted'] = "on"; $pconfig['ftp_telnet_normalize'] = "on"; $pconfig['ftp_telnet_detect_anomalies'] = "on"; $pconfig['ftp_telnet_ayt_attack_threshold'] = "20"; $pconfig['smtp_preprocessor'] = "on"; $pconfig['smtp_memcap'] = "838860"; $pconfig['smtp_max_mime_mem'] = "838860"; $pconfig['smtp_b64_decode_depth'] = "0"; $pconfig['smtp_qp_decode_depth'] = "0"; $pconfig['smtp_bitenc_decode_depth'] = "0"; $pconfig['smtp_uu_decode_depth'] = "0"; $pconfig['smtp_email_hdrs_log_depth'] = "1464"; $pconfig['smtp_ignore_data'] = 'off'; $pconfig['smtp_ignore_tls_data'] = 'on'; $pconfig['smtp_log_mail_from'] = 'on'; $pconfig['smtp_log_rcpt_to'] = 'on'; $pconfig['smtp_log_filename'] = 'on'; $pconfig['smtp_log_email_hdrs'] = 'on'; $pconfig['appid_preproc'] = "off"; $pconfig['sf_appid_mem_cap'] = "256"; $pconfig['sf_appid_statslog'] = "on"; $pconfig['sf_appid_stats_period'] = "300"; $pconfig['sf_portscan'] = "off"; $pconfig['pscan_protocol'] = "all"; $pconfig['pscan_type'] = "all"; $pconfig['pscan_sense_level'] = "medium"; $pconfig['pscan_ignore_scanners'] = ""; $pconfig['pscan_memcap'] = '10000000'; $pconfig['dce_rpc_2'] = "on"; $pconfig['dns_preprocessor'] = "on"; $pconfig['sensitive_data'] = "off"; $pconfig['sdf_alert_data_type'] = "Credit Card,Email Addresses,U.S. Phone Numbers,U.S. Social Security Numbers"; $pconfig['sdf_alert_threshold'] = "25"; $pconfig['sdf_mask_output'] = "off"; $pconfig['ssl_preproc'] = "on"; $pconfig['pop_preproc'] = "on"; $pconfig['pop_memcap'] = "838860"; $pconfig['pop_b64_decode_depth'] = "0"; $pconfig['pop_qp_decode_depth'] = "0"; $pconfig['pop_bitenc_decode_depth'] = "0"; $pconfig['pop_uu_decode_depth'] = "0"; $pconfig['imap_preproc'] = "on"; $pconfig['imap_memcap'] = "838860"; $pconfig['imap_b64_decode_depth'] = "0"; $pconfig['imap_qp_decode_depth'] = "0"; $pconfig['imap_bitenc_decode_depth'] = "0"; $pconfig['imap_uu_decode_depth'] = "0"; $pconfig['sip_preproc'] = "on"; $pconfig['dnp3_preproc'] = "off"; $pconfig['modbus_preproc'] = "off"; $pconfig['gtp_preproc'] = "off"; $pconfig['ssh_preproc'] = "on"; $pconfig['preproc_auto_rule_disable'] = "off"; $pconfig['protect_preproc_rules'] = "off"; $pconfig['frag3_detection'] = "on"; $pconfig['frag3_max_frags'] = "8192"; $pconfig['frag3_memcap'] = "4194304"; /* Log a message at the top of the page to inform the user */ $savemsg = gettext("All preprocessor settings have been reset to their defaults."); } if ($_POST['save'] || $_POST['apply']) { $natent = array(); $natent = $pconfig; // Validate SDF alert threshold and alert data type values if SDF is enabled if ($_POST['sensitive_data'] == 'on') { if ($_POST['sdf_alert_threshold'] < 1 || $_POST['sdf_alert_threshold'] > 65535) $input_errors[] = gettext("The value for Sensitive_Data_Alert_Threshold must be between 1 and 65,535."); if (empty($_POST['sdf_alert_data_type'])) $input_errors[] = gettext("You must select at least one sensitive data type to inspect for when Sensitive Data detection is enabled."); } // Validate POP3 parameter values if POP3 Decoder is enabled if ($_POST['pop_preproc'] == 'on') { if ($_POST['pop_memcap'] < 3276 || $_POST['pop_memcap'] > 104857600) $input_errors[] = gettext("The value for POP3 Decoder Memory Cap must be between 3,276 and 104,857,600."); if ($_POST['pop_b64_decode_depth'] < -1 || $_POST['pop_b64_decode_depth'] > 65535) $input_errors[] = gettext("The value for POP3 Decoder Base64 Decode Depth must be between -1 and 65,535."); if ($_POST['pop_qp_decode_depth'] < -1 || $_POST['pop_qp_decode_depth'] > 65535) $input_errors[] = gettext("The value for POP3 Decoder Quoted-Printable (QP) Decode Depth must be between -1 and 65,535."); if ($_POST['pop_bitenc_decode_depth'] < -1 || $_POST['pop_bitenc_decode_depth'] > 65535) $input_errors[] = gettext("The value for POP3 Decoder Non-Encoded MIME Extraction Depth must be between -1 and 65,535."); if ($_POST['pop_uu_decode_depth'] < -1 || $_POST['pop_uu_decode_depth'] > 65535) $input_errors[] = gettext("The value for POP3 Decoder Unix-to-Unix (UU) Decode Depth must be between -1 and 65,535."); } // Validate IMAP parameter values if IMAP Decoder is enabled if ($_POST['imap_preproc'] == 'on') { if ($_POST['imap_memcap'] < 3276 || $_POST['imap_memcap'] > 104857600) $input_errors[] = gettext("The value for IMAP Decoder Memory Cap must be between 3,276 and 104,857,600."); if ($_POST['imap_b64_decode_depth'] < -1 || $_POST['imap_b64_decode_depth'] > 65535) $input_errors[] = gettext("The value for IMAP Decoder Base64 Decode Depth must be between -1 and 65,535."); if ($_POST['imap_qp_decode_depth'] < -1 || $_POST['imap_qp_decode_depth'] > 65535) $input_errors[] = gettext("The value for IMAP Decoder Quoted-Printable (QP) Decode Depth must be between -1 and 65,535."); if ($_POST['imap_bitenc_decode_depth'] < -1 || $_POST['imap_bitenc_decode_depth'] > 65535) $input_errors[] = gettext("The value for IMAP Decoder Non-Encoded MIME Extraction Depth must be between -1 and 65,535."); if ($_POST['imap_uu_decode_depth'] < -1 || $_POST['imap_uu_decode_depth'] > 65535) $input_errors[] = gettext("The value for IMAP Decoder Unix-to-Unix (UU) Decode Depth must be between -1 and 65,535."); } // Validate SMTP parameter values if SMTP Decoder is enabled if ($_POST['smtp_preprocessor'] == 'on') { if ($_POST['smtp_memcap'] < 3276 || $_POST['smtp_memcap'] > 104857600) $input_errors[] = gettext("The value for SMTP Decoder Memory Cap must be between 3,276 and 104,857,600."); if ($_POST['smtp_max_mime_mem'] < 3276 || $_POST['smtp_max_mime_mem'] > 104857600) $input_errors[] = gettext("The value for SMTP Decoder Maximum MIME Memory must be between 3,276 and 104,857,600."); if ($_POST['smtp_b64_decode_depth'] < -1 || $_POST['smtp_b64_decode_depth'] > 65535) $input_errors[] = gettext("The value for SMTP Decoder Base64 Decode Depth must be between -1 and 65,535."); if ($_POST['smtp_qp_decode_depth'] < -1 || $_POST['smtp_qp_decode_depth'] > 65535) $input_errors[] = gettext("The value for SMTP Decoder Quoted-Printable (QP) Decode Depth must be between -1 and 65,535."); if ($_POST['smtp_bitenc_decode_depth'] < -1 || $_POST['smtp_bitenc_decode_depth'] > 65535) $input_errors[] = gettext("The value for SMTP Decoder Non-Encoded MIME Extraction Depth must be between -1 and 65,535."); if ($_POST['smtp_uu_decode_depth'] < -1 || $_POST['smtp_uu_decode_depth'] > 65535) $input_errors[] = gettext("The value for SMTP Decoder Unix-to-Unix (UU) Decode Depth must be between -1 and 65,535."); if ($_POST['smtp_email_hdrs_log_depth'] < 0 || $_POST['smtp_email_hdrs_log_depth'] > 20480) $input_errors[] = gettext("The value for SMTP Decoder E-Mail Headers Log Depth must be between 0 and 20,480."); } // Validate AppID parameter values if AppID Detector is enabled if ($_POST['appid_preproc'] == 'on') { if ($_POST['sf_appid_mem_cap'] < 32 || $_POST['sf_appid_mem_cap'] > 3000) $input_errors[] = gettext("The value for Application ID Memory Cap must be between 32 and 3000."); if ($_POST['sf_appid_stats_period'] < 60 || $_POST['sf_appid_stats_period'] > 3600) $input_errors[] = gettext("The value for Application ID Stats Period must be between 60 and 3600."); } // Validate Portscan Ignore_Scanners parameter if ($_POST['sf_portscan'] == 'on' && is_alias($_POST['pscan_ignore_scanners'])) { if (trim(filter_expand_alias($_POST["def_{$key}"])) == "") $input_errors[] = gettext("FQDN aliases are not supported in Snort for the PORTSCAN IGNORE_SCANNERS parameter."); } /* if no errors write to conf */ if (!$input_errors) { /* post new options */ if ($_POST['max_attribute_hosts'] != "") { $natent['max_attribute_hosts'] = $_POST['max_attribute_hosts']; }else{ $natent['max_attribute_hosts'] = "10000"; } if ($_POST['max_attribute_services_per_host'] != "") { $natent['max_attribute_services_per_host'] = $_POST['max_attribute_services_per_host']; }else{ $natent['max_attribute_services_per_host'] = "10"; } if ($_POST['max_paf'] != "") { $natent['max_paf'] = $_POST['max_paf']; }else{ $natent['max_paf'] = "16000"; } if ($_POST['http_inspect_memcap'] != "") { $natent['http_inspect_memcap'] = $_POST['http_inspect_memcap']; }else{ $natent['http_inspect_memcap'] = "150994944"; } if ($_POST['http_inspect_max_gzip_mem'] != "") { $natent['http_inspect_max_gzip_mem'] = $_POST['http_inspect_max_gzip_mem']; }else{ $natent['http_inspect_max_gzip_mem'] = "838860"; } if ($_POST['stream5_mem_cap'] != "") { $natent['stream5_mem_cap'] = $_POST['stream5_mem_cap']; }else{ $natent['stream5_mem_cap'] = "8388608"; } if ($_POST['stream5_prune_log_max'] != "") { $natent['stream5_prune_log_max'] = $_POST['stream5_prune_log_max']; }else{ $natent['stream5_prune_log_max'] = "1048576"; } if ($_POST['stream5_udp_timeout'] != "") { $natent['stream5_udp_timeout'] = $_POST['stream5_udp_timeout']; }else{ $natent['stream5_udp_timeout'] = "30"; } if ($_POST['stream5_icmp_timeout'] != "") { $natent['stream5_icmp_timeout'] = $_POST['stream5_icmp_timeout']; }else{ $natent['stream5_icmp_timeout'] = "30"; } if ($_POST['stream5_max_tcp'] != "") { $natent['stream5_max_tcp'] = $_POST['stream5_max_tcp']; }else{ $natent['stream5_max_tcp'] = "262144"; } if ($_POST['stream5_max_udp'] != "") { $natent['stream5_max_udp'] = $_POST['stream5_max_udp']; }else{ $natent['stream5_max_udp'] = "131072"; } if ($_POST['stream5_max_icmp'] != "") { $natent['stream5_max_icmp'] = $_POST['stream5_max_icmp']; }else{ $natent['stream5_max_icmp'] = "65536"; } if ($_POST['pscan_protocol'] != "") { $natent['pscan_protocol'] = $_POST['pscan_protocol']; }else{ $natent['pscan_protocol'] = "all"; } if ($_POST['pscan_type'] != "") { $natent['pscan_type'] = $_POST['pscan_type']; }else{ $natent['pscan_type'] = "all"; } if ($_POST['pscan_memcap'] != "") { $natent['pscan_memcap'] = $_POST['pscan_memcap']; }else{ $natent['pscan_memcap'] = "10000000"; } if ($_POST['pscan_sense_level'] != "") { $natent['pscan_sense_level'] = $_POST['pscan_sense_level']; }else{ $natent['pscan_sense_level'] = "medium"; } if ($_POST['pscan_ignore_scanners'] != "") { $natent['pscan_ignore_scanners'] = $_POST['pscan_ignore_scanners']; }else{ $natent['pscan_ignore_scanners'] = ""; } if ($_POST['frag3_max_frags'] != "") { $natent['frag3_max_frags'] = $_POST['frag3_max_frags']; }else{ $natent['frag3_max_frags'] = "8192"; } if ($_POST['frag3_memcap'] != "") { $natent['frag3_memcap'] = $_POST['frag3_memcap']; }else{ $natent['frag3_memcap'] = "4194304"; } if ($_POST['ftp_telnet_inspection_type'] != "") { $natent['ftp_telnet_inspection_type'] = $_POST['ftp_telnet_inspection_type']; }else{ $natent['ftp_telnet_inspection_type'] = "stateful"; } if ($_POST['ftp_telnet_ayt_attack_threshold'] != "") { $natent['ftp_telnet_ayt_attack_threshold'] = $_POST['ftp_telnet_ayt_attack_threshold']; }else{ $natent['ftp_telnet_ayt_attack_threshold'] = "20"; } if ($_POST['sdf_alert_threshold'] != "") { $natent['sdf_alert_threshold'] = $_POST['sdf_alert_threshold']; }else{ $natent['sdf_alert_threshold'] = "25"; } if ($_POST['pop_memcap'] != "") { $natent['pop_memcap'] = $_POST['pop_memcap']; }else{ $natent['pop_memcap'] = "838860"; } if ($_POST['pop_b64_decode_depth'] != "") { $natent['pop_b64_decode_depth'] = $_POST['pop_b64_decode_depth']; }else{ $natent['pop_b64_decode_depth'] = "0"; } if ($_POST['pop_qp_decode_depth'] != "") { $natent['pop_qp_decode_depth'] = $_POST['pop_qp_decode_depth']; }else{ $natent['pop_qp_decode_depth'] = "0"; } if ($_POST['pop_bitenc_decode_depth'] != "") { $natent['pop_bitenc_decode_depth'] = $_POST['pop_bitenc_decode_depth']; }else{ $natent['pop_bitenc_decode_depth'] = "0"; } if ($_POST['pop_uu_decode_depth'] != "") { $natent['pop_uu_decode_depth'] = $_POST['pop_uu_decode_depth']; }else{ $natent['pop_uu_decode_depth'] = "0"; } if ($_POST['imap_memcap'] != "") { $natent['imap_memcap'] = $_POST['imap_memcap']; }else{ $natent['imap_memcap'] = "838860"; } if ($_POST['imap_b64_decode_depth'] != "") { $natent['imap_b64_decode_depth'] = $_POST['imap_b64_decode_depth']; }else{ $natent['imap_b64_decode_depth'] = "0"; } if ($_POST['imap_qp_decode_depth'] != "") { $natent['imap_qp_decode_depth'] = $_POST['imap_qp_decode_depth']; }else{ $natent['imap_qp_decode_depth'] = "0"; } if ($_POST['imap_bitenc_decode_depth'] != "") { $natent['imap_bitenc_decode_depth'] = $_POST['imap_bitenc_decode_depth']; }else{ $natent['imap_bitenc_decode_depth'] = "0"; } if ($_POST['imap_uu_decode_depth'] != "") { $natent['imap_uu_decode_depth'] = $_POST['imap_uu_decode_depth']; }else{ $natent['imap_uu_decode_depth'] = "0"; } if ($_POST['smtp_memcap'] != "") { $natent['smtp_memcap'] = $_POST['smtp_memcap']; }else{ $natent['smtp_memcap'] = "838860"; } if ($_POST['smtp_max_mime_mem'] != "") { $natent['smtp_max_mime_mem'] = $_POST['smtp_max_mime_mem']; }else{ $natent['smtp_max_mime_mem'] = "838860"; } if ($_POST['smtp_b64_decode_depth'] != "") { $natent['smtp_b64_decode_depth'] = $_POST['smtp_b64_decode_depth']; }else{ $natent['smtp_b64_decode_depth'] = "0"; } if ($_POST['smtp_qp_decode_depth'] != "") { $natent['smtp_qp_decode_depth'] = $_POST['smtp_qp_decode_depth']; }else{ $natent['smtp_qp_decode_depth'] = "0"; } if ($_POST['smtp_bitenc_decode_depth'] != "") { $natent['smtp_bitenc_decode_depth'] = $_POST['smtp_bitenc_decode_depth']; }else{ $natent['smtp_bitenc_decode_depth'] = "0"; } if ($_POST['smtp_uu_decode_depth'] != "") { $natent['smtp_uu_decode_depth'] = $_POST['smtp_uu_decode_depth']; }else{ $natent['smtp_uu_decode_depth'] = "0"; } if ($_POST['smtp_email_hdrs_log_depth'] != "") { $natent['smtp_email_hdrs_log_depth'] = $_POST['smtp_email_hdrs_log_depth']; }else{ $natent['smtp_email_hdrs_log_depth'] = "1464"; } if ($_POST['sf_appid_mem_cap'] != "") { $natent['sf_appid_mem_cap'] = $_POST['sf_appid_mem_cap']; }else{ $natent['sf_appid_mem_cap'] = "256"; } if ($_POST['sf_appid_stats_period'] != "") { $natent['sf_appid_stats_period'] = $_POST['sf_appid_stats_period']; }else{ $natent['sf_appid_stats_period'] = "300"; } // Set SDF inspection types $natent['sdf_alert_data_type'] = implode(",",$_POST['sdf_alert_data_type']); $natent['perform_stat'] = $_POST['perform_stat'] ? 'on' : 'off'; $natent['host_attribute_table'] = $_POST['host_attribute_table'] ? 'on' : 'off'; $natent['http_inspect'] = $_POST['http_inspect'] ? 'on' : 'off'; $natent['http_inspect_proxy_alert'] = $_POST['http_inspect_proxy_alert'] ? 'on' : 'off'; $natent['other_preprocs'] = $_POST['other_preprocs'] ? 'on' : 'off'; $natent['ftp_preprocessor'] = $_POST['ftp_preprocessor'] ? 'on' : 'off'; $natent['ftp_telnet_alert_encrypted'] = $_POST['ftp_telnet_alert_encrypted'] ? 'on' : 'off'; $natent['ftp_telnet_check_encrypted'] = $_POST['ftp_telnet_check_encrypted'] ? 'on' : 'off'; $natent['ftp_telnet_normalize'] = $_POST['ftp_telnet_normalize'] ? 'on' : 'off'; $natent['ftp_telnet_detect_anomalies'] = $_POST['ftp_telnet_detect_anomalies'] ? 'on' : 'off'; $natent['smtp_preprocessor'] = $_POST['smtp_preprocessor'] ? 'on' : 'off'; $natent['smtp_ignore_data'] = $_POST['smtp_ignore_data'] ? 'on' : 'off'; $natent['smtp_ignore_tls_data'] = $_POST['smtp_ignore_tls_data'] ? 'on' : 'off'; $natent['smtp_log_mail_from'] = $_POST['smtp_log_mail_from'] ? 'on' : 'off'; $natent['smtp_log_rcpt_to'] = $_POST['smtp_log_rcpt_to'] ? 'on' : 'off'; $natent['smtp_log_filename'] = $_POST['smtp_log_filename'] ? 'on' : 'off'; $natent['smtp_log_email_hdrs'] = $_POST['smtp_log_email_hdrs'] ? 'on' : 'off'; $natent['sf_portscan'] = $_POST['sf_portscan'] ? 'on' : 'off'; $natent['dce_rpc_2'] = $_POST['dce_rpc_2'] ? 'on' : 'off'; $natent['dns_preprocessor'] = $_POST['dns_preprocessor'] ? 'on' : 'off'; $natent['sensitive_data'] = $_POST['sensitive_data'] ? 'on' : 'off'; $natent['sdf_mask_output'] = $_POST['sdf_mask_output'] ? 'on' : 'off'; $natent['ssl_preproc'] = $_POST['ssl_preproc'] ? 'on' : 'off'; $natent['pop_preproc'] = $_POST['pop_preproc'] ? 'on' : 'off'; $natent['imap_preproc'] = $_POST['imap_preproc'] ? 'on' : 'off'; $natent['dnp3_preproc'] = $_POST['dnp3_preproc'] ? 'on' : 'off'; $natent['modbus_preproc'] = $_POST['modbus_preproc'] ? 'on' : 'off'; $natent['sip_preproc'] = $_POST['sip_preproc'] ? 'on' : 'off'; $natent['modbus_preproc'] = $_POST['modbus_preproc'] ? 'on' : 'off'; $natent['gtp_preproc'] = $_POST['gtp_preproc'] ? 'on' : 'off'; $natent['ssh_preproc'] = $_POST['ssh_preproc'] ? 'on' : 'off'; $natent['preproc_auto_rule_disable'] = $_POST['preproc_auto_rule_disable'] ? 'on' : 'off'; $natent['protect_preproc_rules'] = $_POST['protect_preproc_rules'] ? 'on' : 'off'; $natent['frag3_detection'] = $_POST['frag3_detection'] ? 'on' : 'off'; $natent['stream5_reassembly'] = $_POST['stream5_reassembly'] ? 'on' : 'off'; $natent['stream5_flush_on_alert'] = $_POST['stream5_flush_on_alert'] ? 'on' : 'off'; $natent['stream5_track_tcp'] = $_POST['stream5_track_tcp'] ? 'on' : 'off'; $natent['stream5_track_udp'] = $_POST['stream5_track_udp'] ? 'on' : 'off'; $natent['stream5_track_icmp'] = $_POST['stream5_track_icmp'] ? 'on' : 'off'; $natent['appid_preproc'] = $_POST['appid_preproc'] ? 'on' : 'off'; $natent['sf_appid_statslog'] = $_POST['sf_appid_statslog'] ? 'on' : 'off'; if (isset($id) && isset($a_nat[$id])) { $a_nat[$id] = $natent; write_config("Snort pkg: saved modified preprocessor settings for {$a_nat[$id]['interface']}."); } /*************************************************/ /* Update the snort.conf file and rebuild the */ /* rules for this interface. */ /*************************************************/ $rebuild_rules = true; conf_mount_rw(); snort_generate_conf($natent); conf_mount_ro(); $rebuild_rules = false; /* If 'preproc_auto_rule_disable' is off, then clear log file */ if ($natent['preproc_auto_rule_disable'] == 'off') unlink_if_exists("{$snortlogdir}/{$disabled_rules_log}"); /*******************************************************/ /* Signal Snort to reload Host Attribute Table if one */ /* is configured and saved. */ /*******************************************************/ if ($natent['host_attribute_table'] == "on" && !empty($natent['host_attribute_data'])) snort_reload_config($natent, "SIGURG"); /* Sync to configured CARP slaves if any are enabled */ snort_sync_on_changes(); // We have saved changes, so clear "dirty" flag clear_subsystem_dirty('snort_preprocessors'); /* after click go to this page */ header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . ' GMT' ); header( 'Cache-Control: no-store, no-cache, must-revalidate' ); header( 'Cache-Control: post-check=0, pre-check=0', false ); header( 'Pragma: no-cache' ); header("Location: snort_preprocessors.php?id=$id"); exit; } else $pconfig = $_POST; } if ($_POST['btn_import']) { if (is_uploaded_file($_FILES['host_attribute_file']['tmp_name'])) { $data = file_get_contents($_FILES['host_attribute_file']['tmp_name']); if ($data === false) { $input_errors[] = gettext("Error uploading file {$_FILES['host_attribute_file']}!"); $pconfig = $_POST; } else { if (isset($id) && isset($a_nat[$id])) { $a_nat[$id]['host_attribute_table'] = "on"; $a_nat[$id]['host_attribute_data'] = base64_encode($data); $pconfig['host_attribute_data'] = $a_nat[$id]['host_attribute_data']; $a_nat[$id]['max_attribute_hosts'] = $pconfig['max_attribute_hosts']; $a_nat[$id]['max_attribute_services_per_host'] = $pconfig['max_attribute_services_per_host']; write_config("Snort pkg: imported Host Attribute Table data for {$a_nat[$id]['interface']}."); } // We have made a preproc config change, so set "dirty" flag mark_subsystem_dirty('snort_preprocessors'); header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . ' GMT' ); header( 'Cache-Control: no-store, no-cache, must-revalidate' ); header( 'Cache-Control: post-check=0, pre-check=0', false ); header( 'Pragma: no-cache' ); header("Location: snort_preprocessors.php?id=$id"); exit; } } else { $input_errors[] = gettext("No filename specified for import!"); $pconfig = $_POST; } } if ($_POST['btn_edit_hat']) { if (isset($id) && isset($a_nat[$id])) { $a_nat[$id]['host_attribute_table'] = "on"; $a_nat[$id]['max_attribute_hosts'] = $pconfig['max_attribute_hosts']; $a_nat[$id]['max_attribute_services_per_host'] = $pconfig['max_attribute_services_per_host']; write_config("Snort pkg: modified Host Attribute Table data for {$a_nat[$id]['interface']}."); header("Location: snort_edit_hat_data.php?id=$id"); exit; } } /* If Host Attribute Table option is enabled, but */ /* no Host Attribute data exists, flag an error. */ if ($pconfig['host_attribute_table'] == 'on' && empty($pconfig['host_attribute_data'])) $input_errors[] = gettext("The Host Attribute Table option is enabled, but no Host Attribute data has been loaded. Data may be entered manually or imported from a suitable file."); $pgtitle = gettext("Snort: Interface {$if_friendly} - Preprocessors and Flow"); include_once("head.inc"); ?>