snort-dev, add save and download options to alerts block tab

author: robiscool <robrob2626@yahoo.com> 2009-12-26 01:20:14 -0800
committer: robiscool <robrob2626@yahoo.com> 2009-12-26 01:21:25 -0800
commit: 4c2b54e15f835a3be2b3a3bb9f5a816e1d131868 (patch)
tree: 29e94738ce3c3c2865b8f5425d2bb5af4c2a48a0 /config/snort-dev
parent: 1d2f84a198e02e39e369813e363f97c4cec51411 (diff)
download: pfsense-packages-4c2b54e15f835a3be2b3a3bb9f5a816e1d131868.tar.gz
pfsense-packages-4c2b54e15f835a3be2b3a3bb9f5a816e1d131868.tar.bz2
pfsense-packages-4c2b54e15f835a3be2b3a3bb9f5a816e1d131868.zip
2 files changed, 290 insertions, 78 deletions
diff --git a/config/snort-dev/snort_alerts.php b/config/snort-dev/snort_alerts.php
index 88b9bae8..a9e002f8 100644
--- a/config/snort-dev/snort_alerts.php
+++ b/config/snort-dev/snort_alerts.php
@@ -6,10 +6,11 @@
 
 	Copyright (C) 2005 Bill Marquette <bill.marquette@gmail.com>.
 	Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>.
+	Copyright (C) 2006 Scott Ullrich
 	All rights reserved.
 	
-	Modified for the Pfsense snort package by
-	Copyright (C) 2003 Robert Zelaya
+	Modified for the Pfsense snort package v. 1.8+
+	Copyright (C) 2009 Robert Zelaya Sr. Developer
 
 	Redistribution and use in source and binary forms, with or without
 	modification, are permitted provided that the following conditions are met:
@@ -311,9 +312,10 @@ include("head.inc");
 
 include("fbegin.inc");
 
+/* refresh every 60 secs */
 if ($pconfig['arefresh'] == 'on' || $pconfig['arefresh'] == '')
 {
-echo "<meta http-equiv=\"refresh\" content=\"60;url=/snort/snort_alerts.php\" />\n";
+	echo "<meta http-equiv=\"refresh\" content=\"60;url=/snort/snort_alerts.php\" />\n";
 }
 ?>
 <p class="pgtitle"><?=$pgtitle?></p>
@@ -330,7 +332,8 @@ echo "<meta http-equiv=\"refresh\" content=\"60;url=/snort/snort_alerts.php\" />
 	$tab_array[] = array("Help & Info", false, "/snort/snort_help_info.php");
 	display_top_tabs($tab_array);
 ?>
-  </td></tr>
+  </td>
+  </tr>
   <tr>
     <td>
 	<div id="mainarea">
@@ -423,14 +426,12 @@ echo "<meta http-equiv=\"refresh\" content=\"60;url=/snort/snort_alerts.php\" />
 
 	$logent = $anentries;
 	
-	$alerts = file_get_contents('/var/log/snort/alert');
-	
 	/* detect the alert file type */
 	if ($snortalertlogt == 'full')
 	{
-		$alerts_array = array_reverse(array_filter(explode("\n\n", $alerts)));
+		$alerts_array = array_reverse(array_filter(explode("\n\n", file_get_contents('/var/log/snort/alert'))));
 	}else{
-		$alerts_array = array_reverse(split("\n", $alerts));
+		$alerts_array = array_reverse(split("\n", file_get_contents('/var/log/snort/alert')));
 	}
 	
 	$counter = 0;
diff --git a/config/snort-dev/snort_blocked.php b/config/snort-dev/snort_blocked.php
index 4582c928..06d03bd0 100644
--- a/config/snort-dev/snort_blocked.php
+++ b/config/snort-dev/snort_blocked.php
@@ -3,9 +3,11 @@
 /*
 	snort_blocked.php
 	Copyright (C) 2006 Scott Ullrich
-	Copyright (C) 2009 Robert Zelaya
 	All rights reserved.
 
+	Modified for the Pfsense snort package v. 1.8+
+	Copyright (C) 2009 Robert Zelaya Sr. Developer
+	
 	Redistribution and use in source and binary forms, with or without
 	modification, are permitted provided that the following conditions are met:
 
@@ -29,7 +31,16 @@
 */
 
 require("guiconfig.inc");
-require("/usr/local/pkg/snort/snort.inc");
+
+$pconfig['brefresh'] = $config['installedpackages']['snortglobal']['alertsblocks']['brefresh'];
+$pconfig['blertnumber'] = $config['installedpackages']['snortglobal']['alertsblocks']['blertnumber'];
+
+if ($pconfig['blertnumber'] == '' || $pconfig['blertnumber'] == '0')
+{
+	$bnentries = '500';
+}else{
+	$bnentries = $pconfig['blertnumber'];
+}
 
 if($_POST['todelete'] or $_GET['todelete']) {
 	if($_POST['todelete'])
@@ -47,9 +58,136 @@ header("Location: /snort/snort_blocked.php");
 
 }
 
+/* TODO: build a file with block ip and disc */
+if ($_POST['download'])
+{
 
-$pgtitle = "Snort: Services: Snort Blocked Hosts";
-include("head.inc");
+	ob_start(); //important or other posts will fail
+	$save_date = exec('/bin/date "+%Y-%m-%d-%H-%M-%S"');
+	$file_name = "snort_blocked_{$save_date}.tar.gz";
+	exec('/bin/mkdir /tmp/snort_blocked');	
+	exec('/sbin/pfctl -t snort2c -T show > /tmp/snort_block.pf');
+	
+	$blocked_ips_array_save = str_replace('   ', '', array_filter(explode("\n", file_get_contents('/tmp/snort_block.pf'))));
+	
+	if ($blocked_ips_array_save[0] != '')
+	{
+
+		/* build the list */
+		$counter = 0;
+		foreach($blocked_ips_array_save as $fileline3)
+		{
+
+			$counter++;
+
+			exec("/bin/echo  $fileline3 >> /tmp/snort_blocked/snort_block.pf");	
+	
+		}
+	}
+
+	exec("/usr/bin/tar cfz /tmp/snort_blocked_{$save_date}.tar.gz /tmp/snort_blocked");
+
+	if(file_exists("/tmp/snort_blocked_{$save_date}.tar.gz"))
+	{
+		$file = "/tmp/snort_blocked_{$save_date}.tar.gz";
+		header("Expires: Mon, 26 Jul 1997 05:00:00 GMT\n");
+		header("Pragma: private"); // needed for IE
+		header("Cache-Control: private, must-revalidate"); // needed for IE
+		header('Content-type: application/force-download');
+		header('Content-Transfer-Encoding: Binary');
+		header("Content-length: ".filesize($file));
+		header("Content-disposition: attachment; filename = {$file_name}");
+		readfile("$file");
+		exec("/bin/rm /tmp/snort_blocked_{$save_date}.tar.gz");
+		exec("/bin/rm /tmp/snort_block.pf");
+		exec("/bin/rm /tmp/snort_blocked/snort_block.pf");
+		od_end_clean(); //importanr or other post will fail
+	}else{
+    echo 'Error no saved file.';
+	}
+
+}
+
+if ($_POST['save'])
+{
+
+	/* input validation */
+	if ($_POST['save'])
+	{
+
+	
+	}
+		
+		/* no errors */
+		if (!$input_errors)
+		{
+		
+		$config['installedpackages']['snortglobal']['alertsblocks']['brefresh'] = $_POST['brefresh'] ? on : off;
+		$config['installedpackages']['snortglobal']['alertsblocks']['blertnumber'] = $_POST['blertnumber'];
+		
+		conf_mount_rw();
+		write_config();
+		//conf_mount_ro();
+		sleep(2);
+			
+		header("Location: /snort/snort_blocked.php");
+				
+		}
+		
+}
+
+/* build filter funcs */
+function get_snort_alert_ip_src($fileline)
+{
+        /* SRC IP */
+        $re1='.*?';   # Non-greedy match on filler
+        $re2='((?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))(?![\\d])'; # IPv4 IP Address 1
+
+        if ($c=preg_match_all ("/".$re1.$re2."/is", $fileline, $matches4))
+        {
+			$alert_ip_src = $matches4[1][0];
+        }
+
+return $alert_ip_src;
+
+}
+
+function get_snort_alert_disc($fileline)
+{
+        /* disc */
+        if (preg_match("/\[\*\*\] (\[.*\]) (.*) (\[\*\*\])/", $fileline, $matches))
+        {
+			$alert_disc =  "$matches[2]";
+        }
+
+return $alert_disc;
+
+}
+
+/* build sec filters */
+function get_snort_block_ip($fileline)
+{
+        /* ip */
+        if (preg_match("/\[\d+\.\d+\.\d+\.\d+\]/", $fileline, $matches))
+        {
+			$alert_block_ip =  "$matches[0]";
+        }
+
+return $alert_block_ip;
+
+}
+
+function get_snort_block_disc($fileline)
+{
+        /* disc */
+        if (preg_match("/\]\s\[.+\]$/", $fileline, $matches))
+        {
+			$alert_block_disc =  "$matches[0]";
+        }
+
+return $alert_block_disc;
+
+}
 
 /* tell the user what settings they have */
 $blockedtab_msg_chk = $config['installedpackages']['snortglobal']['rm_blocked'];
@@ -78,13 +216,32 @@ $blockedtab_msg_chk = $config['installedpackages']['snortglobal']['rm_blocked'];
 		$blocked_msg = "28 days";
 	}
 
+if ($blockedtab_msg_chk != "never_b")
+{
+$blocked_msg_txt = "Hosts are removed every <strong>$blocked_msg</strong>.";
+}else{
+$blocked_msg_txt = "Settings are set to never <strong>remove</strong> hosts.";
+}
+	
+$pgtitle = "Services: Snort Blocked Hosts";
+include("head.inc");
+
 ?>
 
 <body link="#000000" vlink="#000000" alink="#000000">
-<?php include("fbegin.inc"); ?>
+<?php 
+
+include("fbegin.inc");
+
+/* refresh every 60 secs */
+if ($pconfig['brefresh'] == 'on' || $pconfig['brefresh'] == '')
+{
+	echo "<meta http-equiv=\"refresh\" content=\"60;url=/snort/snort_blocked.php\" />\n";
+}
+?>
+
 <p class="pgtitle"><?=$pgtitle?></p>
 
-<form action="snort_blocked.php" method="post" name="iform" id="iform">
 <script src="/row_toggle.js" type="text/javascript"></script>
 <script src="/javascript/sorttable.js" type="text/javascript"></script>
 <?php if ($savemsg) print_info_box($savemsg); ?>
@@ -102,96 +259,150 @@ $blockedtab_msg_chk = $config['installedpackages']['snortglobal']['rm_blocked'];
 	$tab_array[] = array("Help & Info", false, "/snort/snort_help_info.php");
 	display_top_tabs($tab_array);
 ?>
-  		</td>
+  	</td>
   </tr>
   <tr>
     <td>
 		<div id="mainarea">
-			<table id="maintable" class="tabcont" width="100%" border="0" cellpadding="0" cellspacing="0">
+		
+		<table id="maintable" class="tabcont" width="100%" border="0" cellpadding="0" cellspacing="0">
+		  <tr>
+			<td width="22%" colspan="0" class="listtopic">
+			Last <?=$bnentries;?> Blocked.
+			</td>
+			<td width="78%" class="listtopic">
+			This page lists hosts that have been blocked by Snort.&nbsp;&nbsp;<?=$blocked_msg_txt;?>
+			</td>
+		  </tr>
+    <tr>
+        <td width="22%" class="vncell">Save or Remove Hosts</td>
+		<td width="78%" class="vtable">
+		<form action="/snort/snort_blocked.php" method="post">
+        <input name="download" type="submit" class="formbtn" value="Download">
+        All blocked hosts will be saved.
+		<input name="remove" type="submit" class="formbtn" value="Clear">
+		<span class="red"><strong>Warning:</strong></span> all hosts will be removed.
+		</form>
+		</td>
+    </tr>
+    <tr>
+        <td width="22%" class="vncell">Auto Refresh and Log View</td>
+		<td width="78%" class="vtable">
+		<form action="/snort/snort_blocked.php" method="post">
+		<input name="save" type="submit" class="formbtn" value="Save">
+		Refresh
+        <input name="brefresh" type="checkbox" value="on" <?php if ($config['installedpackages']['snortglobal']['alertsblocks']['brefresh']=="on" || $config['installedpackages']['snortglobal']['alertsblocks']['brefresh']=='') echo "checked"; ?>>
+        <strong>Default</strong> is <strong>ON</strong>.
+		<input name="blertnumber" type="text" class="formfld" id="blertnumber" size="5" value="<?=htmlspecialchars($bnentries);?>">
+		Enter the number of blocked entries to view. <strong>Default</strong> is <strong>500</strong>.
+		</form>
+		</td>
+    </tr>
+		</table>
+		
+	</div>
+	</td>
+  </tr>
+
+					<table class="tabcont" width="100%" border="0" cellspacing="0" cellpadding="0">
 				<tr> 
 					<td>
-					<?php
-					if ($blockedtab_msg_chk != "never_b")
-					{
-						echo "<span class=\"red\"><strong>Note:</strong></span><br>This page lists hosts that have been blocked by Snort. Hosts are automatically deleted every <strong>$blocked_msg</strong>.<br><br>";
-					}else{
-						echo "<span class=\"red\"><strong>Note:</strong></span><br>This page lists hosts that have been blocked by Snort. Snort package settings are set to never <strong>remove</strong> hosts.<br><br>";
-					}
-					?>
-					<input name="remove" type="submit" class="formbtn" value="Remove"> all blocked hosts.<br><br>
 						<table id="sortabletable1" class="sortable" width="100%" border="0" cellpadding="0" cellspacing="0">
 						    <tr id="frheader">
 								<td width="5%" class="listhdrr">Remove</td>
+								<td class="listhdrr">#</td>
 								<td class="listhdrr">IP</td>
 								<td class="listhdrr">Alert Description</td>
 							</tr>
 <?php
 
-	$associatealertip = $config['installedpackages']['snortglobal']['associatealertip'];
-	// $ips = `/sbin/pfctl -t snort2c -T show`;
-	/* this improves loading of ips by a factor of 10 */
-	exec('/sbin/pfctl -t snort2c -T show > /tmp/snort_block.cache');
-	sleep(1);
-	$ips_array = file('/tmp/snort_block.cache');
-	//$ips_array = split("\n", $ips);
+/* set the arrays */
+exec('/sbin/pfctl -t snort2c -T show > /tmp/snort_block.cache');
+$alerts_array = array_reverse(array_filter(explode("\n\n", file_get_contents('/var/log/snort/alert'))));
+$blocked_ips_array = str_replace('   ', '', array_filter(explode("\n", file_get_contents('/tmp/snort_block.cache'))));
+
+$logent = $bnentries;
+
+if ($blocked_ips_array[0] != '')
+{
+
+	/* build the list and compare blocks to alerts */
 	$counter = 0;
-	foreach($ips_array as $ip) {
-		if(!$ip)
-			continue;
-		$ww_ip = str_replace(" ", "", $ip);
-		$counter++;
-		if($associatealertip)
-			$alert_description = get_snort_alert($ww_ip);
-		else
-			$alert_description = "";
-		echo "\n<tr>";
-		echo "\n<td align=\"center\" valign=\"top\"'><a href='snort_blocked.php?todelete=" . trim(urlencode($ww_ip)) . "'>";
-		echo "\n<img title=\"Delete\" border=\"0\" name='todelete' id='todelete' alt=\"Delete\" src=\"../themes/{$g['theme']}/images/icons/icon_x.gif\"></a></td>";
-		echo "\n<td>&nbsp;{$ww_ip}</td>";
-		echo "\n<td>&nbsp;{$alert_description}<!-- |{$ww_ip}| get_snort_alert($ww_ip); --></td>";
-		echo "\n</tr>";
+	foreach($alerts_array as $fileline)
+	{
+
+	$counter++;
+
+	$alert_ip_src =  get_snort_alert_ip_src($fileline);
+	$alert_ip_disc = get_snort_alert_disc($fileline);
+
+	if (in_array("$alert_ip_src", $blocked_ips_array))
+        $input[] = "[$alert_ip_src] " . "[$alert_ip_disc]\n";
+
 	}
-	echo "\n<tr><td colspan='3'>&nbsp;</td></tr>";
-	if($counter < 1)
-		echo "\n<tr><td colspan='3' align=\"center\" valign=\"top\">There are currently no items being blocked by snort.</td></tr>";
-	else
-		echo "\n<tr><td colspan='3' align=\"center\" valign=\"top\">{$counter} items listed.</td></tr>";
 
-?>
+	/* reduce double occurrences */
+	$result = array_unique($input);
 
-						</table>
-		    		</td>
-		  		</tr>
-			</table>
-		</div>
-	</td>
-  </tr>
-</table>
+	/* buil final list, preg_match, buld html */
+	$counter2 = 0;
 
-</form>
+	foreach($result as $fileline2)
+	{
+		if($logent <= $counter2)
+		continue;
 
-<p>
+		$counter2++;
 
-<?php
+		$alert_block_ip_str =  get_snort_block_ip($fileline2);
 
-if ($blockedtab_msg_chk != "never_b")
+		if($alert_block_ip_str != '')
+		{
+			$alert_block_ip_match = array('[',']'); 
+			$alert_block_ip = str_replace($alert_block_ip_match, '', "$alert_block_ip_str");
+		}else{	
+			$alert_block_ip = 'empty';
+		}
+
+		$alert_block_disc_str = get_snort_block_disc($fileline2);
+
+		if($alert_block_disc_str != '')
+		{
+			$alert_block_disc_match = array('] [',']'); 
+			$alert_block_disc = str_replace($alert_block_disc_match, '', "$alert_block_disc_str");
+		}else{	
+			$alert_block_disc = 'empty';
+		}
+
+
+		/* use one echo to do the magic*/
+		echo "<tr>
+			<td align=\"center\" valign=\"top\"'><a href='snort_blocked.php?todelete=" . trim(urlencode($alert_block_ip)) . "'>
+			<img title=\"Delete\" border=\"0\" name='todelete' id='todelete' alt=\"Delete\" src=\"../themes/{$g['theme']}/images/icons/icon_x.gif\"></a></td>
+			<td>&nbsp;{$counter2}</td>
+			<td>&nbsp;{$alert_block_ip}</td>
+			<td>&nbsp;{$alert_block_disc}</td>
+			</tr>\n";
+		
+	}
+}
+
+if ($blocked_ips_array[0] == '')
 {
-echo "This page lists hosts that have been blocked by Snort. Hosts are automatically deleted every <strong>$blocked_msg</strong>.";
+		echo "\n<tr><td colspan='3' align=\"center\" valign=\"top\"><br><strong>There are currently no items being blocked by snort.</strong></td></tr>";
 }else{
-echo "This page lists hosts that have been blocked by Snort. Snort package settings are set to never <strong>remove</strong> hosts.";
+		echo "\n<tr><td colspan='3' align=\"center\" valign=\"top\">{$counter} items listed.</td></tr>";
 }
 
 ?>
-
+						</table>
+		    		</td>
+		  		</tr>
+			</table>
+		</div>
+	</td>
+  </tr>
+</table>
 <?php include("fend.inc"); ?>
-
 </body>
-</html>
-
-<?php
-
-/* write out snort cache */
-conf_mount_rw();
-write_snort_config_cache($snort_config);
-conf_mount_ro();
-?>
-\ No newline at end of file
+</html>
+\ No newline at end of file
author	robiscool <robrob2626@yahoo.com>	2009-12-26 01:20:14 -0800
committer	robiscool <robrob2626@yahoo.com>	2009-12-26 01:21:25 -0800
commit	4c2b54e15f835a3be2b3a3bb9f5a816e1d131868 (patch)
tree	29e94738ce3c3c2865b8f5425d2bb5af4c2a48a0 /config/snort-dev
parent	1d2f84a198e02e39e369813e363f97c4cec51411 (diff)
download	pfsense-packages-4c2b54e15f835a3be2b3a3bb9f5a816e1d131868.tar.gz pfsense-packages-4c2b54e15f835a3be2b3a3bb9f5a816e1d131868.tar.bz2 pfsense-packages-4c2b54e15f835a3be2b3a3bb9f5a816e1d131868.zip