aboutsummaryrefslogtreecommitdiffstats
path: root/config
diff options
context:
space:
mode:
authorBBcan177 <bbcan177@gmail.com>2016-03-20 22:29:16 -0400
committerBBcan177 <bbcan177@gmail.com>2016-03-20 22:29:16 -0400
commitd476a2c4d0d5bd8108aed44bfe91dc14015a3b66 (patch)
tree112eaa431e4e1cc2cb4bf1db0e287b2175b3def1 /config
parenta57408e6eafbc85309a7f62bd949d350523e140b (diff)
downloadpfsense-packages-d476a2c4d0d5bd8108aed44bfe91dc14015a3b66.tar.gz
pfsense-packages-d476a2c4d0d5bd8108aed44bfe91dc14015a3b66.tar.bz2
pfsense-packages-d476a2c4d0d5bd8108aed44bfe91dc14015a3b66.zip
Update pfblockerng_alerts.php
* Improve dnsbl_suppression() function to account for '#' Comment lines in custom list * Improve DNSBL Suppression to also suppress any CNAMES associated with domain name Hardcode drill command with @8.8.8.8 (May have to add option in future to allow user to override DNS server entry) * Improve Proofpoint/Emerging Threats IQRisk integrations
Diffstat (limited to 'config')
-rw-r--r--config/pfblockerng/pfblockerng_alerts.php105
1 files changed, 71 insertions, 34 deletions
diff --git a/config/pfblockerng/pfblockerng_alerts.php b/config/pfblockerng/pfblockerng_alerts.php
index 79cd0d62..13fb64f6 100644
--- a/config/pfblockerng/pfblockerng_alerts.php
+++ b/config/pfblockerng/pfblockerng_alerts.php
@@ -80,6 +80,18 @@ foreach ($aglobal_array as $type => $value) {
${"$type"} = $pfb['aglobal'][$type] != '' ? $pfb['aglobal'][$type] : $value;
}
+// Collect DNSBL suppression list
+$pfb['dsupp'] = &$config['installedpackages']['pfblockerngdnsblsettings']['config'][0]['suppression'];
+$dnssupp_ex = array();
+$suppression = pfbng_text_area_decode($pfb['dnsblconfig']['suppression'], TRUE);
+if (isset($suppression)) {
+ foreach ($suppression as $dnssupp) {
+ // Create 1) array for the suppressed domains 2) A string with the domain and comment text
+ $dnssupp_ex[] = $dnssupp[0];
+ $dnssupp_dat .= "{$dnssupp[0]}{$dnssupp[1]}\r\n";
+ }
+}
+
// Save Alerts tab customizations
if (isset($_POST['save'])) {
$pfb['aglobal']['alertrefresh'] = htmlspecialchars($_POST['alertrefresh']) ?: 'off';
@@ -250,21 +262,46 @@ if (isset($_POST['addsuppress'])) {
if (isset($_POST['addsuppressdom'])) {
$domain = htmlspecialchars($_POST['domain']);
$domainparse = str_replace('.', '\.', $domain);
- $pfb['dsupp'] = &$config['installedpackages']['pfblockerngdnsblsettings']['config'][0]['suppression'];
- // Collect existing suppression list
- $dnssupp_ex = collectsuppression();
+ // Query for Domain in Unbound DNSBL file.
+ $dnsbl_query = exec("/usr/bin/grep -Hm1 ' \"{$domainparse} 60 IN A' {$pfb['dnsbl_file']}.conf");
- // Query for domain in Unbound DNSBL file.
- $dnsbl_query = exec("/usr/bin/grep -Hm1 ' \"{$domain} 60 IN A' {$pfb['dnsbl_file']}.conf");
+ // Query Domain for CNAME(s)
+ exec("/usr/bin/drill {$domain} @8.8.8.8 | /usr/bin/awk '/CNAME/ {sub(\"\.$\", \"\", $5); print $5;}'", $cname_list);
+ if (!empty($cname_list)) {
+ $cname = array();
+ $dnsbl_query = 'Found';
+
+ foreach ($cname_list as $query) {
+ $cname[] = $query;
+ }
+ }
// Save new suppress domain to suppress list.
if (empty($dnsbl_query)) {
- $savemsg = gettext("Domain: [ {$domain} ] does not exist in the Unbound Resolver DNSBL");
+ $savemsg = gettext("Domain: [ ") . "{$domain}" . gettext(" ] does not exist in the Unbound Resolver DNSBL");
exec("/usr/local/sbin/unbound-control -c {$pfb['dnsbldir']}/unbound.conf flush {$domain}.");
- } else {
- // Remove domain from Unbound resolver pfb_dnsbl.conf file
- exec("{$pfb['sed']} -i '' '/ \"{$domain} 60 IN A/d' {$pfb['dnsbl_file']}.conf");
+ }
+ else {
+ if (is_array($cname)) {
+ // Remove Domain and CNAME(s) in Unbound resolver pfb_dnsbl.conf file
+ $removed = "{$domain} | ";
+ $supp_string = "{$domain}\r\n";
+ exec("{$pfb['sed']} -i '' '/ \"{$domain} 60 IN A/d' {$pfb['dnsbl_file']}.conf");
+
+ foreach ($cname as $name) {
+ $removed .= "{$name} | ";
+ $supp_string .= "{$name} # CNAME for ({$domain})\r\n";
+ exec("{$pfb['sed']} -i '' '/ \"{$name} 60 IN A/d' {$pfb['dnsbl_file']}.conf");
+ }
+ $savemsg = gettext("Removed - Domain|CNAME(s) | ") . "{$removed}"
+ . gettext("from Unbound Resolver DNSBL. You may need to flush your browsers DNS Cache");
+ }
+ else {
+ // Remove domain from Unbound resolver pfb_dnsbl.conf file
+ exec("{$pfb['sed']} -i '' '/ \"{$domain} 60 IN A/d' {$pfb['dnsbl_file']}.conf");
+ $savemsg = gettext("Removed Domain: [ ") . "{$domain}" . gettext(" ] from Resolver DNSBL. You may need to flush your browsers DNS Cache");
+ }
$cache_dumpfile = '/var/tmp/unbound_cache';
unlink_if_exists("{$cache_dumpfile}");
@@ -278,14 +315,21 @@ if (isset($_POST['addsuppressdom'])) {
}
exec("/usr/local/sbin/unbound-control -c {$pfb['dnsbldir']}/unbound.conf flush {$domain}");
+ if (is_array($cname)) {
+ foreach ($cname as $name) {
+ exec("/usr/local/sbin/unbound-control -c {$pfb['dnsbldir']}/unbound.conf flush {$name}");
+ }
+ }
if (!in_array($domain, $dnssupp_ex)) {
- $dnssupp_ex[] = $domain;
- $dnssupp_new = base64_encode(implode("\n", $dnssupp_ex));
- $pfb['dsupp'] = "{$dnssupp_new}";
+ if (is_array($cname)) {
+ $dnssupp_dat .= "{$supp_string}";
+ } else {
+ $dnssupp_dat .= "{$domain}";
+ }
+ $pfb['dsupp'] = base64_encode($dnssupp_dat);
write_config("pfBlockerNG: Added {$domain} to DNSBL suppress list");
}
- $savemsg = gettext("Removed Domain: [ {$domain} ] from Unbound Resolver DNSBL. You may need to flush your browsers DNS Cache");
}
}
@@ -387,7 +431,7 @@ if (isset($config['interfaces'])) {
}
// Collect DNSBL Interfaces
- $dnsbl_int[] = array("{$int['ipaddr']}/{$int['subnet']}", "{$int['descr']}");
+ $dnsbl_int[] = array("{$int['ipaddr']}/{$int['subnet']}", "{$int['descr']}");
}
}
@@ -458,20 +502,8 @@ if (isset($pf_int)) {
$local_hosts = array_merge($local_hosts, array_flip(array_filter($pf_int)));
}
-// FUNCTION DEFINITIONS
-
-
-// Collect existing suppression list
-function collectsuppression() {
- global $pfb;
- $dnssupp_ex = array();
- $custom_list = pfbng_text_area_decode($pfb['dnsblconfig']['suppression']);
- if (!empty($custom_list)) {
- $dnssupp_ex = array_filter( explode("\n", pfbng_text_area_decode($pfb['dnsblconfig']['suppression'])));
- }
- return ($dnssupp_ex);
-}
+// FUNCTION DEFINITIONS
// Host resolve function lookup
@@ -1000,8 +1032,6 @@ if ($pfb['dnsbl'] == 'on' && $type == 'DNSBL') {
$alert_dom .= "\"> <img src=\"/themes/{$g['theme']}/images/icons/icon_log.gif\" width='11' height='11' border='0' ";
$alert_dom .= "alt=\"Icon Reverse Resolve with DNS\" style=\"cursor: pointer;\" /></a>";
- // Collect existing suppression list
- $dnssupp_ex = collectsuppression();
if (!in_array($pfbalertdnsbl[8], $dnssupp_ex)) {
$supp_dom = "<input type='image' name='addsuppressdom[]' onclick=\"domainlistid('{$domain}');\" ";
$supp_dom .= "src=\"../themes/{$g['theme']}/images/icons/icon_pass_add.gif\" alt='' title=\"";
@@ -1158,12 +1188,18 @@ if (!empty($fields_array[$type]) && !empty($rule_list) && $type != 'DNSBL') {
$pfb_match[2] = '';
}
else {
+ $pfb_query = find_reported_header($host, $pfbfolder, FALSE);
+
// Report specific ET IQRisk details
- if ($pfb['et_header'] && strpos($pfb_query, "{$et_header}") !== FALSE) {
- $pfbfolder = "{$pfb['etdir']}/*";
- }
+ if ($pfb['et_header'] && strpos($pfb_query[1], "{$et_header}") !== FALSE) {
+ $ET_orig = $pfb_query;
+ $pfb_query = find_reported_header($host, "{$pfb['etdir']}/*", FALSE);
- $pfb_query = find_reported_header($host, $pfbfolder, FALSE);
+ // On 'no match', ET IQRisk category is unknown.
+ if ($pfb_query[1] == 'no match') {
+ $pfb_query = $ET_orig;
+ }
+ }
// Split list column into two lines.
$pfb_match[1] = "{$pfb_query[1]}";
@@ -1276,6 +1312,7 @@ function domainlistid(domain,domainlist) {
// Auto-resolve of alerted hostnames
function findhostnames(counter) {
+
getip = jQuery('#gethostname_' + counter).attr('name');
geturl = "/pfblockerng/pfblockerng_alerts_ar.php";
jQuery.get( geturl, { "getpfhostname": getip } )
@@ -1311,4 +1348,4 @@ function enable_hideFilter() {
<?php include('fend.inc'); ?>
</form>
</body>
-</html> \ No newline at end of file
+</html>