aboutsummaryrefslogtreecommitdiffstats
path: root/config/snort-dev/snort_blocked.php
diff options
context:
space:
mode:
authorrobiscool <robrob2626@yahoo.com>2009-12-26 01:20:14 -0800
committerrobiscool <robrob2626@yahoo.com>2009-12-26 01:21:25 -0800
commit4c2b54e15f835a3be2b3a3bb9f5a816e1d131868 (patch)
tree29e94738ce3c3c2865b8f5425d2bb5af4c2a48a0 /config/snort-dev/snort_blocked.php
parent1d2f84a198e02e39e369813e363f97c4cec51411 (diff)
downloadpfsense-packages-4c2b54e15f835a3be2b3a3bb9f5a816e1d131868.tar.gz
pfsense-packages-4c2b54e15f835a3be2b3a3bb9f5a816e1d131868.tar.bz2
pfsense-packages-4c2b54e15f835a3be2b3a3bb9f5a816e1d131868.zip
snort-dev, add save and download options to alerts block tab
Diffstat (limited to 'config/snort-dev/snort_blocked.php')
-rw-r--r--config/snort-dev/snort_blocked.php351
1 files changed, 281 insertions, 70 deletions
diff --git a/config/snort-dev/snort_blocked.php b/config/snort-dev/snort_blocked.php
index 4582c928..06d03bd0 100644
--- a/config/snort-dev/snort_blocked.php
+++ b/config/snort-dev/snort_blocked.php
@@ -3,9 +3,11 @@
/*
snort_blocked.php
Copyright (C) 2006 Scott Ullrich
- Copyright (C) 2009 Robert Zelaya
All rights reserved.
+ Modified for the Pfsense snort package v. 1.8+
+ Copyright (C) 2009 Robert Zelaya Sr. Developer
+
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:
@@ -29,7 +31,16 @@
*/
require("guiconfig.inc");
-require("/usr/local/pkg/snort/snort.inc");
+
+$pconfig['brefresh'] = $config['installedpackages']['snortglobal']['alertsblocks']['brefresh'];
+$pconfig['blertnumber'] = $config['installedpackages']['snortglobal']['alertsblocks']['blertnumber'];
+
+if ($pconfig['blertnumber'] == '' || $pconfig['blertnumber'] == '0')
+{
+ $bnentries = '500';
+}else{
+ $bnentries = $pconfig['blertnumber'];
+}
if($_POST['todelete'] or $_GET['todelete']) {
if($_POST['todelete'])
@@ -47,9 +58,136 @@ header("Location: /snort/snort_blocked.php");
}
+/* TODO: build a file with block ip and disc */
+if ($_POST['download'])
+{
-$pgtitle = "Snort: Services: Snort Blocked Hosts";
-include("head.inc");
+ ob_start(); //important or other posts will fail
+ $save_date = exec('/bin/date "+%Y-%m-%d-%H-%M-%S"');
+ $file_name = "snort_blocked_{$save_date}.tar.gz";
+ exec('/bin/mkdir /tmp/snort_blocked');
+ exec('/sbin/pfctl -t snort2c -T show > /tmp/snort_block.pf');
+
+ $blocked_ips_array_save = str_replace(' ', '', array_filter(explode("\n", file_get_contents('/tmp/snort_block.pf'))));
+
+ if ($blocked_ips_array_save[0] != '')
+ {
+
+ /* build the list */
+ $counter = 0;
+ foreach($blocked_ips_array_save as $fileline3)
+ {
+
+ $counter++;
+
+ exec("/bin/echo $fileline3 >> /tmp/snort_blocked/snort_block.pf");
+
+ }
+ }
+
+ exec("/usr/bin/tar cfz /tmp/snort_blocked_{$save_date}.tar.gz /tmp/snort_blocked");
+
+ if(file_exists("/tmp/snort_blocked_{$save_date}.tar.gz"))
+ {
+ $file = "/tmp/snort_blocked_{$save_date}.tar.gz";
+ header("Expires: Mon, 26 Jul 1997 05:00:00 GMT\n");
+ header("Pragma: private"); // needed for IE
+ header("Cache-Control: private, must-revalidate"); // needed for IE
+ header('Content-type: application/force-download');
+ header('Content-Transfer-Encoding: Binary');
+ header("Content-length: ".filesize($file));
+ header("Content-disposition: attachment; filename = {$file_name}");
+ readfile("$file");
+ exec("/bin/rm /tmp/snort_blocked_{$save_date}.tar.gz");
+ exec("/bin/rm /tmp/snort_block.pf");
+ exec("/bin/rm /tmp/snort_blocked/snort_block.pf");
+ od_end_clean(); //importanr or other post will fail
+ }else{
+ echo 'Error no saved file.';
+ }
+
+}
+
+if ($_POST['save'])
+{
+
+ /* input validation */
+ if ($_POST['save'])
+ {
+
+
+ }
+
+ /* no errors */
+ if (!$input_errors)
+ {
+
+ $config['installedpackages']['snortglobal']['alertsblocks']['brefresh'] = $_POST['brefresh'] ? on : off;
+ $config['installedpackages']['snortglobal']['alertsblocks']['blertnumber'] = $_POST['blertnumber'];
+
+ conf_mount_rw();
+ write_config();
+ //conf_mount_ro();
+ sleep(2);
+
+ header("Location: /snort/snort_blocked.php");
+
+ }
+
+}
+
+/* build filter funcs */
+function get_snort_alert_ip_src($fileline)
+{
+ /* SRC IP */
+ $re1='.*?'; # Non-greedy match on filler
+ $re2='((?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))(?![\\d])'; # IPv4 IP Address 1
+
+ if ($c=preg_match_all ("/".$re1.$re2."/is", $fileline, $matches4))
+ {
+ $alert_ip_src = $matches4[1][0];
+ }
+
+return $alert_ip_src;
+
+}
+
+function get_snort_alert_disc($fileline)
+{
+ /* disc */
+ if (preg_match("/\[\*\*\] (\[.*\]) (.*) (\[\*\*\])/", $fileline, $matches))
+ {
+ $alert_disc = "$matches[2]";
+ }
+
+return $alert_disc;
+
+}
+
+/* build sec filters */
+function get_snort_block_ip($fileline)
+{
+ /* ip */
+ if (preg_match("/\[\d+\.\d+\.\d+\.\d+\]/", $fileline, $matches))
+ {
+ $alert_block_ip = "$matches[0]";
+ }
+
+return $alert_block_ip;
+
+}
+
+function get_snort_block_disc($fileline)
+{
+ /* disc */
+ if (preg_match("/\]\s\[.+\]$/", $fileline, $matches))
+ {
+ $alert_block_disc = "$matches[0]";
+ }
+
+return $alert_block_disc;
+
+}
/* tell the user what settings they have */
$blockedtab_msg_chk = $config['installedpackages']['snortglobal']['rm_blocked'];
@@ -78,13 +216,32 @@ $blockedtab_msg_chk = $config['installedpackages']['snortglobal']['rm_blocked'];
$blocked_msg = "28 days";
}
+if ($blockedtab_msg_chk != "never_b")
+{
+$blocked_msg_txt = "Hosts are removed every <strong>$blocked_msg</strong>.";
+}else{
+$blocked_msg_txt = "Settings are set to never <strong>remove</strong> hosts.";
+}
+
+$pgtitle = "Services: Snort Blocked Hosts";
+include("head.inc");
+
?>
<body link="#000000" vlink="#000000" alink="#000000">
-<?php include("fbegin.inc"); ?>
+<?php
+
+include("fbegin.inc");
+
+/* refresh every 60 secs */
+if ($pconfig['brefresh'] == 'on' || $pconfig['brefresh'] == '')
+{
+ echo "<meta http-equiv=\"refresh\" content=\"60;url=/snort/snort_blocked.php\" />\n";
+}
+?>
+
<p class="pgtitle"><?=$pgtitle?></p>
-<form action="snort_blocked.php" method="post" name="iform" id="iform">
<script src="/row_toggle.js" type="text/javascript"></script>
<script src="/javascript/sorttable.js" type="text/javascript"></script>
<?php if ($savemsg) print_info_box($savemsg); ?>
@@ -102,96 +259,150 @@ $blockedtab_msg_chk = $config['installedpackages']['snortglobal']['rm_blocked'];
$tab_array[] = array("Help & Info", false, "/snort/snort_help_info.php");
display_top_tabs($tab_array);
?>
- </td>
+ </td>
</tr>
<tr>
<td>
<div id="mainarea">
- <table id="maintable" class="tabcont" width="100%" border="0" cellpadding="0" cellspacing="0">
+
+ <table id="maintable" class="tabcont" width="100%" border="0" cellpadding="0" cellspacing="0">
+ <tr>
+ <td width="22%" colspan="0" class="listtopic">
+ Last <?=$bnentries;?> Blocked.
+ </td>
+ <td width="78%" class="listtopic">
+ This page lists hosts that have been blocked by Snort.&nbsp;&nbsp;<?=$blocked_msg_txt;?>
+ </td>
+ </tr>
+ <tr>
+ <td width="22%" class="vncell">Save or Remove Hosts</td>
+ <td width="78%" class="vtable">
+ <form action="/snort/snort_blocked.php" method="post">
+ <input name="download" type="submit" class="formbtn" value="Download">
+ All blocked hosts will be saved.
+ <input name="remove" type="submit" class="formbtn" value="Clear">
+ <span class="red"><strong>Warning:</strong></span> all hosts will be removed.
+ </form>
+ </td>
+ </tr>
+ <tr>
+ <td width="22%" class="vncell">Auto Refresh and Log View</td>
+ <td width="78%" class="vtable">
+ <form action="/snort/snort_blocked.php" method="post">
+ <input name="save" type="submit" class="formbtn" value="Save">
+ Refresh
+ <input name="brefresh" type="checkbox" value="on" <?php if ($config['installedpackages']['snortglobal']['alertsblocks']['brefresh']=="on" || $config['installedpackages']['snortglobal']['alertsblocks']['brefresh']=='') echo "checked"; ?>>
+ <strong>Default</strong> is <strong>ON</strong>.
+ <input name="blertnumber" type="text" class="formfld" id="blertnumber" size="5" value="<?=htmlspecialchars($bnentries);?>">
+ Enter the number of blocked entries to view. <strong>Default</strong> is <strong>500</strong>.
+ </form>
+ </td>
+ </tr>
+ </table>
+
+ </div>
+ </td>
+ </tr>
+
+ <table class="tabcont" width="100%" border="0" cellspacing="0" cellpadding="0">
<tr>
<td>
- <?php
- if ($blockedtab_msg_chk != "never_b")
- {
- echo "<span class=\"red\"><strong>Note:</strong></span><br>This page lists hosts that have been blocked by Snort. Hosts are automatically deleted every <strong>$blocked_msg</strong>.<br><br>";
- }else{
- echo "<span class=\"red\"><strong>Note:</strong></span><br>This page lists hosts that have been blocked by Snort. Snort package settings are set to never <strong>remove</strong> hosts.<br><br>";
- }
- ?>
- <input name="remove" type="submit" class="formbtn" value="Remove"> all blocked hosts.<br><br>
<table id="sortabletable1" class="sortable" width="100%" border="0" cellpadding="0" cellspacing="0">
<tr id="frheader">
<td width="5%" class="listhdrr">Remove</td>
+ <td class="listhdrr">#</td>
<td class="listhdrr">IP</td>
<td class="listhdrr">Alert Description</td>
</tr>
<?php
- $associatealertip = $config['installedpackages']['snortglobal']['associatealertip'];
- // $ips = `/sbin/pfctl -t snort2c -T show`;
- /* this improves loading of ips by a factor of 10 */
- exec('/sbin/pfctl -t snort2c -T show > /tmp/snort_block.cache');
- sleep(1);
- $ips_array = file('/tmp/snort_block.cache');
- //$ips_array = split("\n", $ips);
+/* set the arrays */
+exec('/sbin/pfctl -t snort2c -T show > /tmp/snort_block.cache');
+$alerts_array = array_reverse(array_filter(explode("\n\n", file_get_contents('/var/log/snort/alert'))));
+$blocked_ips_array = str_replace(' ', '', array_filter(explode("\n", file_get_contents('/tmp/snort_block.cache'))));
+
+$logent = $bnentries;
+
+if ($blocked_ips_array[0] != '')
+{
+
+ /* build the list and compare blocks to alerts */
$counter = 0;
- foreach($ips_array as $ip) {
- if(!$ip)
- continue;
- $ww_ip = str_replace(" ", "", $ip);
- $counter++;
- if($associatealertip)
- $alert_description = get_snort_alert($ww_ip);
- else
- $alert_description = "";
- echo "\n<tr>";
- echo "\n<td align=\"center\" valign=\"top\"'><a href='snort_blocked.php?todelete=" . trim(urlencode($ww_ip)) . "'>";
- echo "\n<img title=\"Delete\" border=\"0\" name='todelete' id='todelete' alt=\"Delete\" src=\"../themes/{$g['theme']}/images/icons/icon_x.gif\"></a></td>";
- echo "\n<td>&nbsp;{$ww_ip}</td>";
- echo "\n<td>&nbsp;{$alert_description}<!-- |{$ww_ip}| get_snort_alert($ww_ip); --></td>";
- echo "\n</tr>";
+ foreach($alerts_array as $fileline)
+ {
+
+ $counter++;
+
+ $alert_ip_src = get_snort_alert_ip_src($fileline);
+ $alert_ip_disc = get_snort_alert_disc($fileline);
+
+ if (in_array("$alert_ip_src", $blocked_ips_array))
+ $input[] = "[$alert_ip_src] " . "[$alert_ip_disc]\n";
+
}
- echo "\n<tr><td colspan='3'>&nbsp;</td></tr>";
- if($counter < 1)
- echo "\n<tr><td colspan='3' align=\"center\" valign=\"top\">There are currently no items being blocked by snort.</td></tr>";
- else
- echo "\n<tr><td colspan='3' align=\"center\" valign=\"top\">{$counter} items listed.</td></tr>";
-?>
+ /* reduce double occurrences */
+ $result = array_unique($input);
- </table>
- </td>
- </tr>
- </table>
- </div>
- </td>
- </tr>
-</table>
+ /* buil final list, preg_match, buld html */
+ $counter2 = 0;
-</form>
+ foreach($result as $fileline2)
+ {
+ if($logent <= $counter2)
+ continue;
-<p>
+ $counter2++;
-<?php
+ $alert_block_ip_str = get_snort_block_ip($fileline2);
-if ($blockedtab_msg_chk != "never_b")
+ if($alert_block_ip_str != '')
+ {
+ $alert_block_ip_match = array('[',']');
+ $alert_block_ip = str_replace($alert_block_ip_match, '', "$alert_block_ip_str");
+ }else{
+ $alert_block_ip = 'empty';
+ }
+
+ $alert_block_disc_str = get_snort_block_disc($fileline2);
+
+ if($alert_block_disc_str != '')
+ {
+ $alert_block_disc_match = array('] [',']');
+ $alert_block_disc = str_replace($alert_block_disc_match, '', "$alert_block_disc_str");
+ }else{
+ $alert_block_disc = 'empty';
+ }
+
+
+ /* use one echo to do the magic*/
+ echo "<tr>
+ <td align=\"center\" valign=\"top\"'><a href='snort_blocked.php?todelete=" . trim(urlencode($alert_block_ip)) . "'>
+ <img title=\"Delete\" border=\"0\" name='todelete' id='todelete' alt=\"Delete\" src=\"../themes/{$g['theme']}/images/icons/icon_x.gif\"></a></td>
+ <td>&nbsp;{$counter2}</td>
+ <td>&nbsp;{$alert_block_ip}</td>
+ <td>&nbsp;{$alert_block_disc}</td>
+ </tr>\n";
+
+ }
+}
+
+if ($blocked_ips_array[0] == '')
{
-echo "This page lists hosts that have been blocked by Snort. Hosts are automatically deleted every <strong>$blocked_msg</strong>.";
+ echo "\n<tr><td colspan='3' align=\"center\" valign=\"top\"><br><strong>There are currently no items being blocked by snort.</strong></td></tr>";
}else{
-echo "This page lists hosts that have been blocked by Snort. Snort package settings are set to never <strong>remove</strong> hosts.";
+ echo "\n<tr><td colspan='3' align=\"center\" valign=\"top\">{$counter} items listed.</td></tr>";
}
?>
-
+ </table>
+ </td>
+ </tr>
+ </table>
+ </div>
+ </td>
+ </tr>
+</table>
<?php include("fend.inc"); ?>
-
</body>
-</html>
-
-<?php
-
-/* write out snort cache */
-conf_mount_rw();
-write_snort_config_cache($snort_config);
-conf_mount_ro();
-?> \ No newline at end of file
+</html> \ No newline at end of file