<?php /* * suricata_app_parsers.php * part of pfSense * * Significant portions of this code are based on original work done * for the Snort package for pfSense from the following contributors: * * Copyright (C) 2005 Bill Marquette <bill.marquette@gmail.com>. * Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>. * Copyright (C) 2006 Scott Ullrich * Copyright (C) 2009 Robert Zelaya Sr. Developer * Copyright (C) 2012 Ermal Luci * All rights reserved. * * Adapted for Suricata by: * Copyright (C) 2014 Bill Meeks * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions are met: * 1. Redistributions of source code must retain the above copyright notice, * this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE * POSSIBILITY OF SUCH DAMAGE. */ require_once("guiconfig.inc"); require_once("/usr/local/pkg/suricata/suricata.inc"); global $g, $rebuild_rules; if (isset($_POST['id']) && is_numericint($_POST['id'])) $id = $_POST['id']; elseif (isset($_GET['id']) && is_numericint($_GET['id'])) $id = htmlspecialchars($_GET['id']); if (is_null($id)) $id = 0; if (!is_array($config['installedpackages']['suricata'])) $config['installedpackages']['suricata'] = array(); if (!is_array($config['installedpackages']['suricata']['rule'])) $config['installedpackages']['suricata']['rule'] = array(); // Initialize HTTP libhtp engine arrays if necessary if (!is_array($config['installedpackages']['suricata']['rule'][$id]['libhtp_policy']['item'])) $config['installedpackages']['suricata']['rule'][$id]['libhtp_policy']['item'] = array(); // Initialize required array variables as necessary if (!is_array($config['aliases']['alias'])) $config['aliases']['alias'] = array(); $a_aliases = $config['aliases']['alias']; $a_nat = &$config['installedpackages']['suricata']['rule']; $libhtp_engine_next_id = count($a_nat[$id]['libhtp_policy']['item']); // Build a lookup array of currently used engine 'bind_to' Aliases // so we can screen matching Alias names from the list. $used = array(); foreach ($a_nat[$id]['libhtp_policy']['item'] as $v) $used[$v['bind_to']] = true; $pconfig = array(); if (isset($id) && $a_nat[$id]) { /* Get current values from config for page form fields */ $pconfig = $a_nat[$id]; // See if Host-OS policy engine array is configured and use // it; otherwise create a default engine configuration. if (empty($pconfig['libhtp_policy']['item'])) { $default = array( "name" => "default", "bind_to" => "all", "personality" => "IDS", "request-body-limit" => 4096, "response-body-limit" => 4096, "double-decode-path" => "no", "double-decode-query" => "no", "uri-include-all" => "no" ); $pconfig['libhtp_policy']['item'] = array(); $pconfig['libhtp_policy']['item'][] = $default; if (!is_array($a_nat[$id]['libhtp_policy']['item'])) $a_nat[$id]['libhtp_policy']['item'] = array(); $a_nat[$id]['libhtp_policy']['item'][] = $default; write_config("Suricata pkg: created a new default HTTP server configuration for " . convert_friendly_interface_to_friendly_descr($a_nat[$id]['interface'])); $libhtp_engine_next_id++; } else $pconfig['libhtp_policy'] = $a_nat[$id]['libhtp_policy']; } // Check for "import or select alias mode" and set flags if TRUE. // "selectalias", when true, displays radio buttons to limit // multiple selections. if ($_POST['import_alias']) { $importalias = true; $selectalias = false; $title = "HTTP Server Policy"; } elseif ($_POST['select_alias']) { $importalias = true; $selectalias = true; $title = "HTTP Server Policy"; // Preserve current Libhtp Policy Engine settings $eng_id = $_POST['eng_id']; $eng_name = $_POST['policy_name']; $eng_bind = $_POST['policy_bind_to']; $eng_personality = $_POST['personality']; $eng_req_body_limit = $_POST['req_body_limit']; $eng_resp_body_limit = $_POST['resp_body_limit']; $eng_enable_double_decode_path = $_POST['enable_double_decode_path']; $eng_enable_double_decode_query = $_POST['enable_double_decode_query']; $eng_enable_uri_include_all = $_POST['enable_uri_include_all']; $mode = "add_edit_libhtp_policy"; } if ($_POST['save_libhtp_policy']) { if ($_POST['eng_id'] != "") { $eng_id = $_POST['eng_id']; // Grab all the POST values and save in new temp array $engine = array(); $policy_name = trim($_POST['policy_name']); if ($policy_name) { $engine['name'] = $policy_name; } else $input_errors[] = gettext("The 'Policy Name' value cannot be blank."); if ($_POST['policy_bind_to']) { if (is_alias($_POST['policy_bind_to'])) $engine['bind_to'] = $_POST['policy_bind_to']; elseif (strtolower(trim($_POST['policy_bind_to'])) == "all") $engine['bind_to'] = "all"; else $input_errors[] = gettext("You must provide a valid Alias or the reserved keyword 'all' for the 'Bind-To IP Address' value."); } else $input_errors[] = gettext("The 'Bind-To IP Address' value cannot be blank. Provide a valid Alias or the reserved keyword 'all'."); if ($_POST['personality']) { $engine['personality'] = $_POST['personality']; } else { $engine['personality'] = "bsd"; } if (is_numeric($_POST['req_body_limit']) && $_POST['req_body_limit'] >= 0) $engine['request-body-limit'] = $_POST['req_body_limit']; else $input_errors[] = gettext("The value for 'Request Body Limit' must be all numbers and greater than or equal to zero."); if (is_numeric($_POST['resp_body_limit']) && $_POST['resp_body_limit'] >= 0) $engine['response-body-limit'] = $_POST['resp_body_limit']; else $input_errors[] = gettext("The value for 'Response Body Limit' must be all numbers and greater than or equal to zero."); if ($_POST['enable_double_decode_path']) { $engine['double-decode-path'] = 'yes'; }else{ $engine['double-decode-path'] = 'no'; } if ($_POST['enable_double_decode_query']) { $engine['double-decode-query'] = 'yes'; }else{ $engine['double-decode-query'] = 'no'; } if ($_POST['enable_uri_include_all']) { $engine['uri-include-all'] = 'yes'; }else{ $engine['uri-include-all'] = 'no'; } // Can only have one "all" Bind_To address if ($engine['bind_to'] == "all" && $engine['name'] <> "default") $input_errors[] = gettext("Only one default OS-Policy Engine can be bound to all addresses."); // if no errors, write new entry to conf if (!$input_errors) { if (isset($eng_id) && $a_nat[$id]['libhtp_policy']['item'][$eng_id]) { $a_nat[$id]['libhtp_policy']['item'][$eng_id] = $engine; } else $a_nat[$id]['libhtp_policy']['item'][] = $engine; /* Reorder the engine array to ensure the */ /* 'bind_to=all' entry is at the bottom */ /* if it contains more than one entry. */ if (count($a_nat[$id]['libhtp_policy']['item']) > 1) { $i = -1; foreach ($a_nat[$id]['libhtp_policy']['item'] as $f => $v) { if ($v['bind_to'] == "all") { $i = $f; break; } } /* Only relocate the entry if we */ /* found it, and it's not already */ /* at the end. */ if ($i > -1 && ($i < (count($a_nat[$id]['libhtp_policy']['item']) - 1))) { $tmp = $a_nat[$id]['libhtp_policy']['item'][$i]; unset($a_nat[$id]['libhtp_policy']['item'][$i]); $a_nat[$id]['libhtp_policy']['item'][] = $tmp; } } // Now write the new engine array to conf write_config("Suricata pkg: saved updated HTTP server configuration for " . convert_friendly_interface_to_friendly_descr($a_nat[$id]['interface'])); $pconfig['libhtp_policy']['item'] = $a_nat[$id]['libhtp_policy']['item']; } else { $add_edit_libhtp_policy = true; $pengcfg = $engine; } } } elseif ($_POST['add_libhtp_policy']) { $add_edit_libhtp_policy = true; $pengcfg = array( "name" => "engine_{$libhtp_engine_next_id}", "bind_to" => "", "personality" => "IDS", "request-body-limit" => "4096", "response-body-limit" => "4096", "double-decode-path" => "no", "double-decode-query" => "no", "uri-include-all" => "no" ); $eng_id = $libhtp_engine_next_id; } elseif ($_POST['edit_libhtp_policy']) { if ($_POST['eng_id'] != "") { $add_edit_libhtp_policy = true; $eng_id = $_POST['eng_id']; $pengcfg = $a_nat[$id]['libhtp_policy']['item'][$eng_id]; } } elseif ($_POST['del_libhtp_policy']) { $natent = array(); $natent = $pconfig; if ($_POST['eng_id'] != "") { unset($natent['libhtp_policy']['item'][$_POST['eng_id']]); $pconfig = $natent; } if (isset($id) && $a_nat[$id]) { $a_nat[$id] = $natent; write_config("Suricata pkg: deleted a HTTP server configuration for " . convert_friendly_interface_to_friendly_descr($a_nat[$id]['interface'])); } } elseif ($_POST['cancel_libhtp_policy']) { $add_edit_libhtp_policy = false; } elseif ($_POST['ResetAll']) { /* Reset all the settings to defaults */ $pconfig['asn1_max_frames'] = "256"; $pconfig['dns_global_memcap'] = "16777216"; $pconfig['dns_state_memcap'] = "524288"; $pconfig['dns_request_flood_limit'] = "500"; $pconfig['http_parser_memcap'] = "67108864"; $pconfig['dns_parser_udp'] = "yes"; $pconfig['dns_parser_tcp'] = "yes"; $pconfig['http_parser'] = "yes"; $pconfig['tls_parser'] = "yes"; $pconfig['smtp_parser'] = "yes"; $pconfig['imap_parser'] = "detection-only"; $pconfig['ssh_parser'] = "yes"; $pconfig['ftp_parser'] = "yes"; $pconfig['dcerpc_parser'] = "yes"; $pconfig['smb_parser'] = "yes"; $pconfig['msn_parser'] = "detection-only"; /* Log a message at the top of the page to inform the user */ $savemsg = gettext("All flow and stream settings on this page have been reset to their defaults. Click APPLY if you wish to keep these new settings."); } elseif ($_POST['save_import_alias']) { // If saving out of "select alias" mode, // then return to Libhtp Policy Engine edit // page. if ($_POST['mode'] == 'add_edit_libhtp_policy') { $pengcfg = array(); $eng_id = $_POST['eng_id']; $pengcfg['name'] = $_POST['eng_name']; $pengcfg['bind_to'] = $_POST['eng_bind']; $pengcfg['personality'] = $_POST['eng_personality']; $pengcfg['request-body-limit'] = $_POST['eng_req_body_limit']; $pengcfg['response-body-limit'] = $_POST['eng_resp_body_limit']; $pengcfg['double-decode-path'] = $_POST['eng_enable_double_decode_path']; $pengcfg['double-decode-query'] = $_POST['eng_enable_double_decode_query']; $pengcfg['uri-include-all'] = $_POST['eng_enable_uri_include_all']; $add_edit_libhtp_policy = true; $mode = "add_edit_libhtp_policy"; if (is_array($_POST['aliastoimport']) && count($_POST['aliastoimport']) == 1) { $pengcfg['bind_to'] = $_POST['aliastoimport'][0]; $importalias = false; $selectalias = false; } else { $input_errors[] = gettext("No Alias is selected for import. Nothing to SAVE."); $importalias = true; $selectalias = true; $eng_id = $_POST['eng_id']; $eng_name = $_POST['eng_name']; $eng_bind = $_POST['eng_bind']; $eng_personality = $_POST['eng_personality']; $eng_req_body_limit = $_POST['eng_req_body_limit']; $eng_resp_body_limit = $_POST['eng_resp_body_limit']; $eng_enable_double_decode_path = $_POST['eng_enable_double_decode_path']; $eng_enable_double_decode_query = $_POST['eng_enable_double_decode_query']; $eng_enable_uri_include_all = $_POST['eng_enable_uri_include_all']; } } else { $engine = array( "name" => "", "bind_to" => "", "personality" => "IDS", "request-body-limit" => "4096", "response-body-limit" => "4096", "double-decode-path" => "no", "double-decode-query" => "no", "uri-include-all" => "no" ); // See if anything was checked to import if (is_array($_POST['aliastoimport']) && count($_POST['aliastoimport']) > 0) { foreach ($_POST['aliastoimport'] as $item) { $engine['name'] = strtolower($item); $engine['bind_to'] = $item; $a_nat[$id]['libhtp_policy']['item'][] = $engine; } } else { $input_errors[] = gettext("No entries were selected for import. Please select one or more Aliases for import and click SAVE."); $importalias = true; } // if no errors, write new entry to conf if (!$input_errors) { // Reorder the engine array to ensure the // 'bind_to=all' entry is at the bottom if // the array contains more than one entry. if (count($a_nat[$id]['libhtp_policy']['item']) > 1) { $i = -1; foreach ($a_nat[$id]['libhtp_policy']['item'] as $f => $v) { if ($v['bind_to'] == "all") { $i = $f; break; } } // Only relocate the entry if we // found it, and it's not already // at the end. if ($i > -1 && ($i < (count($a_nat[$id]['libhtp_policy']['item']) - 1))) { $tmp = $a_nat[$id]['libhtp_policy']['item'][$i]; unset($a_nat[$id]['libhtp_policy']['item'][$i]); $a_nat[$id]['libhtp_policy']['item'][] = $tmp; } $pconfig['libhtp_policy']['item'] = $a_nat[$id]['libhtp_policy']['item']; } // Write the new engine array to config file write_config("Suricata pkg: saved an updated HTTP server configuration for " . convert_friendly_interface_to_friendly_descr($a_nat[$id]['interface'])); $importalias = false; } } } elseif ($_POST['cancel_import_alias']) { $importalias = false; $selectalias = false; $eng_id = $_POST['eng_id']; // If cancelling out of "select alias" mode, // then return to Libhtp Policy Engine edit // page. if ($_POST['mode'] == 'add_edit_libhtp_policy') { $pengcfg = array(); $pengcfg['name'] = $_POST['eng_name']; $pengcfg['bind_to'] = $_POST['eng_bind']; $pengcfg['personality'] = $_POST['eng_personality']; $pengcfg['request-body-limit'] = $_POST['eng_req_body_limit']; $pengcfg['response-body-limit'] = $_POST['eng_resp_body_limit']; $pengcfg['double-decode-path'] = $_POST['eng_enable_double_decode_path']; $pengcfg['double-decode-query'] = $_POST['eng_enable_double_decode_query']; $pengcfg['uri-include-all'] = $_POST['eng_enable_uri_include_all']; $add_edit_libhtp_policy = true; } } elseif ($_POST['save'] || $_POST['apply']) { $natent = array(); $natent = $pconfig; // TODO: validate input values if (!is_numeric($_POST['asn1_max_frames'] ) || $_POST['asn1_max_frames'] < 1) $input_errors[] = gettext("The value for 'ASN1 Max Frames' must be all numbers and greater than 0."); if (!is_numeric($_POST['dns_global_memcap'] ) || $_POST['dns_global_memcap'] < 1) $input_errors[] = gettext("The value for 'DNS Global Memcap' must be all numbers and greater than 0."); if (!is_numeric($_POST['dns_state_memcap'] ) || $_POST['dns_state_memcap'] < 1) $input_errors[] = gettext("The value for 'DNS Flow/State Memcap' must be all numbers and greater than 0."); if (!is_numeric($_POST['dns_request_flood_limit'] ) || $_POST['dns_request_flood_limit'] < 1) $input_errors[] = gettext("The value for 'DNS Request Flood Limit' must be all numbers and greater than 0."); if (!is_numeric($_POST['http_parser_memcap'] ) || $_POST['http_parser_memcap'] < 1) $input_errors[] = gettext("The value for 'HTTP Memcap' must be all numbers and greater than 0."); /* if no errors write to conf */ if (!$input_errors) { if ($_POST['asn1_max_frames'] != "") { $natent['asn1_max_frames'] = $_POST['asn1_max_frames']; }else{ $natent['asn1_max_frames'] = "256"; } if ($_POST['dns_global_memcap'] != ""){ $natent['dns_global_memcap'] = $_POST['dns_global_memcap']; }else{ $natent['dns_global_memcap'] = "16777216"; } if ($_POST['dns_state_memcap'] != ""){ $natent['dns_state_memcap'] = $_POST['dns_state_memcap']; }else{ $natent['dns_state_memcap'] = "524288"; } if ($_POST['dns_request_flood_limit'] != ""){ $natent['dns_request_flood_limit'] = $_POST['dns_request_flood_limit']; }else{ $natent['dns_request_flood_limit'] = "500"; } if ($_POST['http_parser_memcap'] != ""){ $natent['http_parser_memcap'] = $_POST['http_parser_memcap']; }else{ $natent['http_parser_memcap'] = "67108864"; } $natent['dns_parser_udp'] = $_POST['dns_parser_udp']; $natent['dns_parser_tcp'] = $_POST['dns_parser_tcp']; $natent['http_parser'] = $_POST['http_parser']; $natent['tls_parser'] = $_POST['tls_parser']; $natent['smtp_parser'] = $_POST['smtp_parser']; $natent['imap_parser'] = $_POST['imap_parser']; $natent['ssh_parser'] = $_POST['ssh_parser']; $natent['ftp_parser'] = $_POST['ftp_parser']; $natent['dcerpc_parser'] = $_POST['dcerpc_parser']; $natent['smb_parser'] = $_POST['smb_parser']; $natent['msn_parser'] = $_POST['msn_parser']; /**************************************************/ /* If we have a valid rule ID, save configuration */ /* then update the suricata.conf file for this */ /* interface. */ /**************************************************/ if (isset($id) && $a_nat[$id]) { $a_nat[$id] = $natent; write_config("Suricata pkg: saved updated app-layer parser configuration for " . convert_friendly_interface_to_friendly_descr($a_nat[$id]['interface'])); $rebuild_rules = false; conf_mount_rw(); suricata_generate_yaml($natent); conf_mount_ro(); // Sync to configured CARP slaves if any are enabled suricata_sync_on_changes(); } header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . ' GMT' ); header( 'Cache-Control: no-store, no-cache, must-revalidate' ); header( 'Cache-Control: post-check=0, pre-check=0', false ); header( 'Pragma: no-cache' ); header("Location: suricata_app_parsers.php?id=$id"); exit; } } $if_friendly = convert_friendly_interface_to_friendly_descr($pconfig['interface']); $pgtitle = gettext("Suricata: Interface {$if_friendly} - Application Layer Parsers"); include_once("head.inc"); ?> <body link="#0000CC" vlink="#0000CC" alink="#0000CC"> <?php include("fbegin.inc"); /* Display error message */ if ($input_errors) { print_input_errors($input_errors); } ?> <form action="suricata_app_parsers.php" method="post" name="iform" id="iform"> <input name="id" type="hidden" value="<?=$id;?>"/> <input type="hidden" name="eng_id" id="eng_id" value="<?=$eng_id;?>"/> <?php if ($savemsg) { /* Display save message */ print_info_box($savemsg); } ?> <table width="100%" border="0" cellpadding="0" cellspacing="0"> <tbody> <tr><td> <?php $tab_array = array(); $tab_array[] = array(gettext("Interfaces"), true, "/suricata/suricata_interfaces.php"); $tab_array[] = array(gettext("Global Settings"), false, "/suricata/suricata_global.php"); $tab_array[] = array(gettext("Updates"), false, "/suricata/suricata_download_updates.php"); $tab_array[] = array(gettext("Alerts"), false, "/suricata/suricata_alerts.php?instance={$id}"); $tab_array[] = array(gettext("Blocks"), false, "/suricata/suricata_blocked.php"); $tab_array[] = array(gettext("Pass Lists"), false, "/suricata/suricata_passlist.php"); $tab_array[] = array(gettext("Suppress"), false, "/suricata/suricata_suppress.php"); $tab_array[] = array(gettext("Logs View"), false, "/suricata/suricata_logs_browser.php?instance={$id}"); $tab_array[] = array(gettext("Logs Mgmt"), false, "/suricata/suricata_logs_mgmt.php"); $tab_array[] = array(gettext("SID Mgmt"), false, "/suricata/suricata_sid_mgmt.php"); $tab_array[] = array(gettext("Sync"), false, "/pkg_edit.php?xml=suricata/suricata_sync.xml"); $tab_array[] = array(gettext("IP Lists"), false, "/suricata/suricata_ip_list_mgmt.php"); display_top_tabs($tab_array, true); echo '</td></tr>'; echo '<tr><td>'; $menu_iface=($if_friendly?substr($if_friendly,0,5)." ":"Iface "); $tab_array = array(); $tab_array[] = array($menu_iface . gettext("Settings"), false, "/suricata/suricata_interfaces_edit.php?id={$id}"); $tab_array[] = array($menu_iface . gettext("Categories"), false, "/suricata/suricata_rulesets.php?id={$id}"); $tab_array[] = array($menu_iface . gettext("Rules"), false, "/suricata/suricata_rules.php?id={$id}"); $tab_array[] = array($menu_iface . gettext("Flow/Stream"), false, "/suricata/suricata_flow_stream.php?id={$id}"); $tab_array[] = array($menu_iface . gettext("App Parsers"), true, "/suricata/suricata_app_parsers.php?id={$id}"); $tab_array[] = array($menu_iface . gettext("Variables"), false, "/suricata/suricata_define_vars.php?id={$id}"); $tab_array[] = array($menu_iface . gettext("Barnyard2"), false, "/suricata/suricata_barnyard.php?id={$id}"); $tab_array[] = array($menu_iface . gettext("IP Rep"), false, "/suricata/suricata_ip_reputation.php?id={$id}"); display_top_tabs($tab_array, true); ?> </td></tr> <tr><td><div id="mainarea"> <?php if ($importalias) : ?> <?php include("/usr/local/www/suricata/suricata_import_aliases.php"); if ($selectalias) { echo '<input type="hidden" name="eng_name" value="' . $eng_name . '"/>'; echo '<input type="hidden" name="eng_bind" value="' . $eng_bind . '"/>'; echo '<input type="hidden" name="eng_personality" value="' . $eng_personality . '"/>'; echo '<input type="hidden" name="eng_req_body_limit" value="' . $eng_req_body_limit . '"/>'; echo '<input type="hidden" name="eng_resp_body_limit" value="' . $eng_resp_body_limit . '"/>'; echo '<input type="hidden" name="eng_enable_double_decode_path" value="' . $eng_enable_double_decode_path . '"/>'; echo '<input type="hidden" name="eng_enable_double_decode_query" value="' . $eng_enable_double_decode_query . '"/>'; echo '<input type="hidden" name="eng_enable_uri_include_all" value="' . $eng_enable_uri_include_all . '"/>'; } ?> <?php elseif ($add_edit_libhtp_policy) : ?> <?php include("/usr/local/www/suricata/suricata_libhtp_policy_engine.php"); ?> <?php else: ?> <table id="maintable" class="tabcont" width="100%" border="0" cellpadding="6" cellspacing="0"> <tbody> <tr> <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Abstract Syntax One Settings"); ?></td> </tr> <tr> <td width="22%" valign="top" class="vncell"><?php echo gettext("Asn1 Max Frames"); ?></td> <td width="78%" class="vtable"> <input name="asn1_max_frames" type="text" class="formfld unknown" id="asn1_max_frames" size="9" value="<?=htmlspecialchars($pconfig['asn1_max_frames']);?>"> <?php echo gettext("Limit for max number of asn1 frames to decode. Default is ") . "<strong>" . gettext("256") . "</strong>" . gettext(" frames."); ?><br/><br/> <?php echo gettext("To protect itself, Suricata will inspect only the maximum asn1 frames specified. ") . gettext("Application layer protocols such as X.400 electronic mail, X.500 and LDAP directory services, ") . gettext("H.323 (VoIP), and SNMP, use ASN.1 to describe the protocol data units (PDUs) they exchange."); ?> </td> </tr> <tr> <td colspan="2" valign="top" class="listtopic"><?php echo gettext("DNS App-Layer Parser Settings"); ?></td> </tr> <tr> <td width="22%" valign="top" class="vncell"><?php echo gettext("Global Memcap"); ?></td> <td width="78%" class="vtable"> <input name="dns_global_memcap" type="text" class="formfld unknown" id="dns_global_memcap" size="9" value="<?=htmlspecialchars($pconfig['dns_global_memcap']);?>"> <?php echo gettext("Sets the global memcap limit for the DNS parser. Default is ") . "<strong>" . gettext("16777216") . "</strong>" . gettext(" bytes (16MB)."); ?> </td> </tr> <tr> <td width="22%" valign="top" class="vncell"><?php echo gettext("Flow/State Memcap"); ?></td> <td width="78%" class="vtable"> <input name="dns_state_memcap" type="text" class="formfld unknown" id="dns_state_memcap" size="9" value="<?=htmlspecialchars($pconfig['dns_state_memcap']);?>"> <?php echo gettext("Sets per flow/state memcap limit for the DNS parser. Default is ") . "<strong>" . gettext("524288") . "</strong>" . gettext(" bytes (512KB)."); ?> </td> </tr> <tr> <td width="22%" valign="top" class="vncell"><?php echo gettext("Request Flood Limit"); ?></td> <td width="78%" class="vtable"> <input name="dns_request_flood_limit" type="text" class="formfld unknown" id="dns_request_flood_limit" size="9" value="<?=htmlspecialchars($pconfig['dns_request_flood_limit']);?>"> <?php echo gettext("How many unreplied DNS requests are considered a flood. Default is ") . "<strong>" . gettext("500") . "</strong>" . gettext(" requests."); ?><br/> <?php echo gettext("If this limit is reached, 'app-layer-event:dns.flooded' will match and alert. "); ?> </td> </tr> <tr> <td width="22%" valign="top" class="vncell"><?php echo gettext("UDP Parser"); ?></td> <td width="78%" class="vtable"> <select name="dns_parser_udp" id="dns_parser_udp" class="formselect"> <?php $opt = array( "yes", "no", "detection-only" ); foreach ($opt as $val) { $selected = ""; if ($val == $pconfig['dns_parser_udp']) $selected = " selected"; echo "<option value='{$val}'{$selected}>" . $val . "</option>\n"; } ?></select> <?php echo gettext("Choose the parser/detection setting for UDP. Default is ") . "<strong>" . gettext("yes") . "</strong>" . gettext("."); ?><br/> <?php echo gettext("Selecting \"yes\" enables detection and parser, \"no\" disables both and \"detection-only\" disables parser."); ?> </td> </tr> <tr> <td width="22%" valign="top" class="vncell"><?php echo gettext("TCP Parser"); ?></td> <td width="78%" class="vtable"> <select name="dns_parser_tcp" id="dns_parser_tcp" class="formselect"> <?php $opt = array( "yes", "no", "detection-only" ); foreach ($opt as $val) { $selected = ""; if ($val == $pconfig['dns_parser_tcp']) $selected = " selected"; echo "<option value='{$val}'{$selected}>" . $val . "</option>\n"; } ?></select> <?php echo gettext("Choose the parser/detection setting for TCP. Default is ") . "<strong>" . gettext("yes") . "</strong>" . gettext("."); ?><br/> <?php echo gettext("Selecting \"yes\" enables detection and parser, \"no\" disables both and \"detection-only\" disables parser."); ?> </td> </tr> <tr> <td colspan="2" valign="top" class="listtopic"><?php echo gettext("HTTP App-Layer Parser Settings"); ?></td> </tr> <tr> <td width="22%" valign="top" class="vncell"><?php echo gettext("Memcap"); ?></td> <td width="78%" class="vtable"> <input name="http_parser_memcap" type="text" class="formfld unknown" id="http_parser_memcap" size="9" value="<?=htmlspecialchars($pconfig['http_parser_memcap']);?>"> <?php echo gettext("Sets the memcap limit for the HTTP parser. Default is ") . "<strong>" . gettext("67108864") . "</strong>" . gettext(" bytes (64MB)."); ?> </td> </tr> <tr> <td width="22%" valign="top" class="vncell"><?php echo gettext("HTTP Parser"); ?></td> <td width="78%" class="vtable"> <select name="http_parser" id="http_parser" class="formselect"> <?php $opt = array( "yes", "no", "detection-only" ); foreach ($opt as $val) { $selected = ""; if ($val == $pconfig['http_parser']) $selected = " selected"; echo "<option value='{$val}'{$selected}>" . $val . "</option>\n"; } ?></select> <?php echo gettext("Choose the parser/detection setting for HTTP. Default is ") . "<strong>" . gettext("yes") . "</strong>" . gettext("."); ?><br/> <?php echo gettext("Selecting \"yes\" enables detection and parser, \"no\" disables both and \"detection-only\" disables parser."); ?> </td> </tr> <tr> <td width="22%" valign="top" class="vncell"><?php echo gettext("Server Configurations"); ?></td> <td width="78%" class="vtable"> <table width="95%" align="left" id="libhtpEnginesTable" style="table-layout: fixed;" border="0" cellspacing="0" cellpadding="0"> <colgroup> <col width="45%" align="left"> <col width="45%" align="center"> <col width="10%" align="right"> </colgroup> <thead> <tr> <th class="listhdrr" axis="string"><?php echo gettext("Name");?></th> <th class="listhdrr" axis="string"><?php echo gettext("Bind-To Address Alias");?></th> <th class="list" align="right"><input type="image" name="import_alias[]" src="../themes/<?= $g['theme'];?>/images/icons/icon_import_alias.gif" width="17" height="17" border="0" title="<?php echo gettext("Import server configuration from existing Aliases");?>"/> <input type="image" name="add_libhtp_policy[]" src="../themes/<?= $g['theme'];?>/images/icons/icon_plus.gif" width="17" height="17" border="0" title="<?php echo gettext("Add a new server configuration");?>"></th> </tr> </thead> <tbody> <?php foreach ($pconfig['libhtp_policy']['item'] as $f => $v): ?> <tr> <td class="listlr" align="left"><?=gettext($v['name']);?></td> <td class="listbg" align="center"><?=gettext($v['bind_to']);?></td> <td class="listt" align="right"><input type="image" name="edit_libhtp_policy[]" value="<?=$f;?>" onclick="document.getElementById('eng_id').value='<?=$f;?>'" src="/themes/<?=$g['theme'];?>/images/icons/icon_e.gif" width="17" height="17" border="0" title="<?=gettext("Edit this server configuration");?>"/> <?php if ($v['bind_to'] <> "all") : ?> <input type="image" name="del_libhtp_policy[]" value="<?=$f;?>" onclick="document.getElementById('eng_id').value='<?=$f;?>';return confirm('Are you sure you want to delete this entry?');" src="/themes/<?=$g['theme'];?>/images/icons/icon_x.gif" width="17" height="17" border="0" title="<?=gettext("Delete this server configuration");?>"> <?php else : ?> <img src="/themes/<?=$g['theme'];?>/images/icons/icon_x_d.gif" width="17" height="17" border="0" title="<?=gettext("Default server configuration cannot be deleted");?>"> <?php endif ?> </td> </tr> <?php endforeach; ?> </tbody> </table> </td> </tr> <tr> <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Other App-Layer Parser Settings"); ?></td> </tr> <tr> <td width="22%" valign="top" class="vncell"><?php echo gettext("TLS Parser"); ?></td> <td width="78%" class="vtable"> <select name="tls_parser" id="tls_parser" class="formselect"> <?php $opt = array( "yes", "no", "detection-only" ); foreach ($opt as $val) { $selected = ""; if ($val == $pconfig['tls_parser']) $selected = " selected"; echo "<option value='{$val}'{$selected}>" . $val . "</option>\n"; } ?></select> <?php echo gettext("Choose the parser/detection setting for TLS. Default is ") . "<strong>" . gettext("yes") . "</strong>" . gettext("."); ?><br/> <?php echo gettext("Selecting \"yes\" enables detection and parser, \"no\" disables both and \"detection-only\" disables parser."); ?> </td> </tr> <tr> <td width="22%" valign="top" class="vncell"><?php echo gettext("SMTP Parser"); ?></td> <td width="78%" class="vtable"> <select name="smtp_parser" id="smtp_parser" class="formselect"> <?php $opt = array( "yes", "no", "detection-only" ); foreach ($opt as $val) { $selected = ""; if ($val == $pconfig['smtp_parser']) $selected = " selected"; echo "<option value='{$val}'{$selected}>" . $val . "</option>\n"; } ?></select> <?php echo gettext("Choose the parser/detection setting for SMTP. Default is ") . "<strong>" . gettext("yes") . "</strong>" . gettext("."); ?><br/> <?php echo gettext("Selecting \"yes\" enables detection and parser, \"no\" disables both and \"detection-only\" disables parser."); ?> </td> </tr> <tr> <td width="22%" valign="top" class="vncell"><?php echo gettext("IMAP Parser"); ?></td> <td width="78%" class="vtable"> <select name="imap_parser" id="imap_parser" class="formselect"> <?php $opt = array( "detection-only", "yes", "no" ); foreach ($opt as $val) { $selected = ""; if ($val == $pconfig['imap_parser']) $selected = " selected"; echo "<option value='{$val}'{$selected}>" . $val . "</option>\n"; } ?></select> <?php echo gettext("Choose the parser/detection setting for IMAP. Default is ") . "<strong>" . gettext("detection-only") . "</strong>" . gettext("."); ?><br/> <?php echo gettext("Selecting \"yes\" enables detection and parser, \"no\" disables both and \"detection-only\" disables parser."); ?> </td> </tr> <tr> <td width="22%" valign="top" class="vncell"><?php echo gettext("SSH Parser"); ?></td> <td width="78%" class="vtable"> <select name="ssh_parser" id="ssh_parser" class="formselect"> <?php $opt = array( "yes", "no", "detection-only" ); foreach ($opt as $val) { $selected = ""; if ($val == $pconfig['ssh_parser']) $selected = " selected"; echo "<option value='{$val}'{$selected}>" . $val . "</option>\n"; } ?></select> <?php echo gettext("Choose the parser/detection setting for SSH. Default is ") . "<strong>" . gettext("yes") . "</strong>" . gettext("."); ?><br/> <?php echo gettext("Selecting \"yes\" enables detection and parser, \"no\" disables both and \"detection-only\" disables parser."); ?> </td> </tr> <tr> <td width="22%" valign="top" class="vncell"><?php echo gettext("FTP Parser"); ?></td> <td width="78%" class="vtable"> <select name="ftp_parser" id="ftp_parser" class="formselect"> <?php $opt = array( "yes", "no", "detection-only" ); foreach ($opt as $val) { $selected = ""; if ($val == $pconfig['ftp_parser']) $selected = " selected"; echo "<option value='{$val}'{$selected}>" . $val . "</option>\n"; } ?></select> <?php echo gettext("Choose the parser/detection setting for FTP. Default is ") . "<strong>" . gettext("yes") . "</strong>" . gettext("."); ?><br/> <?php echo gettext("Selecting \"yes\" enables detection and parser, \"no\" disables both and \"detection-only\" disables parser."); ?> </td> </tr> <tr> <td width="22%" valign="top" class="vncell"><?php echo gettext("DCERPC Parser"); ?></td> <td width="78%" class="vtable"> <select name="dcerpc_parser" id="dcerpc_parser" class="formselect"> <?php $opt = array( "yes", "no", "detection-only" ); foreach ($opt as $val) { $selected = ""; if ($val == $pconfig['dcerpc_parser']) $selected = " selected"; echo "<option value='{$val}'{$selected}>" . $val . "</option>\n"; } ?></select> <?php echo gettext("Choose the parser/detection setting for DCERPC. Default is ") . "<strong>" . gettext("yes") . "</strong>" . gettext("."); ?><br/> <?php echo gettext("Selecting \"yes\" enables detection and parser, \"no\" disables both and \"detection-only\" disables parser."); ?> </td> </tr> <tr> <td width="22%" valign="top" class="vncell"><?php echo gettext("SMB Parser"); ?></td> <td width="78%" class="vtable"> <select name="smb_parser" id="smb_parser" class="formselect"> <?php $opt = array( "yes", "no", "detection-only" ); foreach ($opt as $val) { $selected = ""; if ($val == $pconfig['smb_parser']) $selected = " selected"; echo "<option value='{$val}'{$selected}>" . $val . "</option>\n"; } ?></select> <?php echo gettext("Choose the parser/detection setting for SMB. Default is ") . "<strong>" . gettext("yes") . "</strong>" . gettext("."); ?><br/> <?php echo gettext("Selecting \"yes\" enables detection and parser, \"no\" disables both and \"detection-only\" disables parser."); ?> </td> </tr> <tr> <td width="22%" valign="top" class="vncell"><?php echo gettext("MSN Parser"); ?></td> <td width="78%" class="vtable"> <select name="msn_parser" id="msn_parser" class="formselect"> <?php $opt = array( "detection-only", "yes", "no" ); foreach ($opt as $val) { $selected = ""; if ($val == $pconfig['msn_parser']) $selected = " selected"; echo "<option value='{$val}'{$selected}>" . $val . "</option>\n"; } ?></select> <?php echo gettext("Choose the parser/detection setting for MSN. Default is ") . "<strong>" . gettext("detection-only") . "</strong>" . gettext("."); ?><br/> <?php echo gettext("Selecting \"yes\" enables detection and parser, \"no\" disables both and \"detection-only\" disables parser."); ?> </td> </tr> <tr> <td width="22%" valign="top"> </td> <td width="78%"> <input name="save" type="submit" class="formbtn" value="Save" title="<?php echo gettext("Save flow and stream settings"); ?>"/> <input name="ResetAll" type="submit" class="formbtn" value="Reset" title="<?php echo gettext("Reset all settings to defaults") . "\" onclick=\"return confirm('" . gettext("WARNING: This will reset ALL App Parsers settings to their defaults. Click OK to continue or CANCEL to quit.") . "');\""; ?>/></td> </tr> <tr> <td width="22%" valign="top"> </td> <td width="78%"><span class="vexpl"><span class="red"><strong><?php echo gettext("Note: "); ?></strong></span></span> <?php echo gettext("Please save your settings before you exit. Changes will rebuild the rules file. This "); ?> <?php echo gettext("may take several seconds. Suricata must also be restarted to activate any changes made on this screen."); ?></td> </tr> </tbody> </table> <?php endif; ?> </div> </td></tr></tbody></table> </form> <?php include("fend.inc"); ?> </body> </html>