Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

For Snort sfPortScan, add ignore_scanned option to ignore destination… #122

Merged
merged 7 commits into from
May 20, 2016
Merged

For Snort sfPortScan, add ignore_scanned option to ignore destination… #122

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
95a152d
For Snort sfPortScan, add ignore_scanned option to ignore destination…
zxvv Apr 27, 2016
b885a36
sfPortScan: allow valid CIDR addresses for ignore_scanners/scanned.
zxvv Apr 27, 2016
ca8ebe6
sfPortScan: clarify ignore_* help messages re: CIDR addresses.
zxvv Apr 27, 2016
b988419
sfPortScan: allow saving aliases for ignore_scanners/scanned.
zxvv Apr 27, 2016
9014a2d
sfPortScan: do not emit an empty ignore_scanned{} in snort.conf
zxvv Apr 27, 2016
ce06855
increment PORTREVISION
zxvv Apr 27, 2016
3971bc1
portscan: fix empty ignore_scanned{} handling.
zxvv Apr 27, 2016
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Next Next commit
For Snort sfPortScan, add ignore_scanned option to ignore destination… 
…s CIDR/ports.
  • Loading branch information
@zxvv
zxvv committed Apr 27, 2016
commit 95a152deee306acab5eeedc8940e035b06b0d4a6
8 changes: 7 additions & 1 deletion security/pfSense-pkg-snort/files/usr/local/pkg/snort/snort_generate_conf.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -640,6 +640,11 @@
$sf_pscan_ignore_scanners = trim(filter_expand_alias($snortcfg['pscan_ignore_scanners']));
$sf_pscan_ignore_scanners = preg_replace('/\s+/', ',', trim($sf_pscan_ignore_scanners));
}
$sf_pscan_ignore_scanned = "";
if (!empty($snortcfg['pscan_ignore_scanned']) && is_alias($snortcfg['pscan_ignore_scanned'])) {
$sf_pscan_ignore_scanned = trim(filter_expand_alias($snortcfg['pscan_ignore_scanned']));
$sf_pscan_ignore_scanned = preg_replace('/\s+/', ',', trim($sf_pscan_ignore_scanned));
}

$sf_portscan = <<<EOD
# sf Portscan #
Expand All @@ -648,7 +653,8 @@
proto { {$sf_pscan_protocol} } \
memcap { {$sf_pscan_memcap} } \
sense_level { {$sf_pscan_sense_level} } \
ignore_scanners { {$sf_pscan_ignore_scanners} }
ignore_scanners { {$sf_pscan_ignore_scanners} } \
ignore_scanned { {$sf_pscan_ignore_scanned} }

EOD;

Expand Down
43 changes: 39 additions & 4 deletions security/pfSense-pkg-snort/files/usr/local/www/snort/snort_preprocessors.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -262,6 +262,7 @@
// Retrieve previously typed values we passed to SELECT ALIAS page
$pconfig['sf_portscan'] = htmlspecialchars($_GET['sf_portscan'])? 'on' : 'off';
$pconfig['pscan_ignore_scanners'] = htmlspecialchars($_GET['pscan_ignore_scanners']);
$pconfig['pscan_ignore_scanned'] = htmlspecialchars($_GET['pscan_ignore_scanned']);
$pconfig['pscan_protocol'] = htmlspecialchars($_GET['pscan_protocol']);
$pconfig['pscan_type'] = htmlspecialchars($_GET['pscan_type']);
$pconfig['pscan_memcap'] = htmlspecialchars($_GET['pscan_memcap']);
Expand Down Expand Up @@ -368,6 +369,7 @@
$pconfig['pscan_type'] = "all";
$pconfig['pscan_sense_level'] = "medium";
$pconfig['pscan_ignore_scanners'] = "";
$pconfig['pscan_ignore_scanned'] = "";
$pconfig['pscan_memcap'] = '10000000';
$pconfig['dce_rpc_2'] = "on";
$pconfig['dns_preprocessor'] = "on";
Expand Down Expand Up @@ -475,6 +477,12 @@
$input_errors[] = gettext("FQDN aliases are not supported in Snort for the PORTSCAN IGNORE_SCANNERS parameter.");
}

// Validate Portscan Ignore_Scanned parameter
if ($_POST['sf_portscan'] == 'on' && is_alias($_POST['pscan_ignore_scanned'])) {
if (trim(filter_expand_alias($_POST["def_{$key}"])) == "")
$input_errors[] = gettext("FQDN aliases are not supported in Snort for the PORTSCAN IGNORE_SCANNED parameter.");
}

/* if no errors write to conf */
if (!$input_errors) {
/* post new options */
Expand All @@ -495,6 +503,7 @@
if ($_POST['pscan_memcap'] != "") { $natent['pscan_memcap'] = $_POST['pscan_memcap']; }else{ $natent['pscan_memcap'] = "10000000"; }
if ($_POST['pscan_sense_level'] != "") { $natent['pscan_sense_level'] = $_POST['pscan_sense_level']; }else{ $natent['pscan_sense_level'] = "medium"; }
if ($_POST['pscan_ignore_scanners'] != "") { $natent['pscan_ignore_scanners'] = $_POST['pscan_ignore_scanners']; }else{ $natent['pscan_ignore_scanners'] = ""; }
if ($_POST['pscan_ignore_scanned'] != "") { $natent['pscan_ignore_scanned'] = $_POST['pscan_ignore_scanned']; }else{ $natent['pscan_ignore_scanned'] = ""; }
if ($_POST['frag3_max_frags'] != "") { $natent['frag3_max_frags'] = $_POST['frag3_max_frags']; }else{ $natent['frag3_max_frags'] = "8192"; }
if ($_POST['frag3_memcap'] != "") { $natent['frag3_memcap'] = $_POST['frag3_memcap']; }else{ $natent['frag3_memcap'] = "4194304"; }
if ($_POST['ftp_telnet_inspection_type'] != "") { $natent['ftp_telnet_inspection_type'] = $_POST['ftp_telnet_inspection_type']; }else{ $natent['ftp_telnet_inspection_type'] = "stateful"; }
Expand Down Expand Up @@ -1316,12 +1325,34 @@
);
$btnaliases->removeClass('btn-primary')->addClass('btn-default')->addClass('btn-success')->addClass('btn-sm');
$btnaliases->setAttribute('title', gettext("Select an existing IP alias"));
$btnaliases->setAttribute('onclick', 'selectAlias();');
$btnaliases->setAttribute('onclick', 'selectAlias(\'pscan_ignore_scanners\');');
$group = new Form_Group('Ignore Scanners');
$group->add($bind_to);
$group->add($btnaliases);
$group->setHelp('Ignores the specified entity as a source of scan alerts. Entity must be a defined alias.');
$section->add($group);
$bind_to = new Form_Input(
'pscan_ignore_scanned',
'',
'text',
$pconfig['pscan_ignore_scanned']
);
$bind_to->setAttribute('title', trim(filter_expand_alias($pconfig['pscan_ignore_scanned'])));
$bind_to->setHelp('Leave blank for default. Default value is <em>blank</em>, which means ignore none.');
$btnaliases = new Form_Button(
'btnSelectAlias',
' ' . 'Aliases',
'#',
'fa-search-plus'
);
$btnaliases->removeClass('btn-primary')->addClass('btn-default')->addClass('btn-success')->addClass('btn-sm');
$btnaliases->setAttribute('title', gettext("Select an existing IP alias"));
$btnaliases->setAttribute('onclick', 'selectAlias(\'pscan_ignore_scanned\');');
$group = new Form_Group('Ignore Scanned');
$group->add($bind_to);
$group->add($btnaliases);
$group->setHelp('Ignores the specified entity as a destination of scan alerts. Entity must be a defined alias.');
$section->add($group);
print($section);
//----- END Portscan settings -----

Expand Down Expand Up @@ -2045,15 +2076,15 @@ function enable_change_all() {
ftp_telnet_enable_change();
}

function selectAlias() {
function selectAlias(targetVar) {

var loc;
var fields = [ "#sf_portscan", "#pscan_protocol", "#pscan_type", "#pscan_sense_level", "#pscan_memcap", "#pscan_ignore_scanners" ];
var fields = [ "#sf_portscan", "#pscan_protocol", "#pscan_type", "#pscan_sense_level", "#pscan_memcap", "#pscan_ignore_scanners", "#pscan_ignore_scanned" ];

// Scrape current form field values and add to
// the select alias URL as a query string.
var loc = 'snort_select_alias.php?id=<?=$id;?>&act=import&type=host|network';
loc = loc + '&varname=pscan_ignore_scanners&multi_ip=yes';
loc = loc + '&varname=' + targetVar + '&multi_ip=yes';
loc = loc + '&returl=<?=urlencode($_SERVER['PHP_SELF']);?>';

// Iterate over just the specific form fields we want to pass to
Expand Down Expand Up @@ -2104,6 +2135,10 @@ function getFileContents() {
source: addressarray
});

$('#pscan_ignore_scanned').autocomplete({
source: addressarray
});

// ---------- Click handlers -------------------------------------------------------

$('#host_attribute_table').click(function() {
Expand Down