diff options
-rw-r--r-- | config/snort/snort_blocked.php | 254 |
1 files changed, 108 insertions, 146 deletions
diff --git a/config/snort/snort_blocked.php b/config/snort/snort_blocked.php index 6994cb19..b3fb7aea 100644 --- a/config/snort/snort_blocked.php +++ b/config/snort/snort_blocked.php @@ -40,17 +40,19 @@ if (!is_array($config['installedpackages']['snortglobal']['alertsblocks'])) $pconfig['brefresh'] = $config['installedpackages']['snortglobal']['alertsblocks']['brefresh']; $pconfig['blertnumber'] = $config['installedpackages']['snortglobal']['alertsblocks']['blertnumber']; -if ($pconfig['blertnumber'] == '' || $pconfig['blertnumber'] == '0') +if (empty($pconfig['blertnumber'])) $bnentries = '500'; else $bnentries = $pconfig['blertnumber']; -if($_POST['todelete'] or $_GET['todelete']) { +if ($_POST['todelete'] || $_GET['todelete']) { + $ip = ""; if($_POST['todelete']) $ip = $_POST['todelete']; - if($_GET['todelete']) + else if($_GET['todelete']) $ip = $_GET['todelete']; - exec("/sbin/pfctl -t snort2c -T delete {$ip}"); + if (is_ipaddr($ip)) + exec("/sbin/pfctl -t snort2c -T delete {$ip}"); } if ($_POST['remove']) { @@ -62,48 +64,46 @@ if ($_POST['remove']) { /* TODO: build a file with block ip and disc */ if ($_POST['download']) { - - ob_start(); //important or other posts will fail - $save_date = exec('/bin/date "+%Y-%m-%d-%H-%M-%S"'); - $file_name = "snort_blocked_{$save_date}.tar.gz"; - exec('/bin/mkdir /tmp/snort_blocked'); - exec('/sbin/pfctl -t snort2c -T show > /tmp/snort_block.pf'); - - $blocked_ips_array_save = str_replace(' ', '', explode("\n", file_get_contents('/tmp/snort_block.pf'))); - - if ($blocked_ips_array_save[0] != '') { - /* build the list */ + $blocked_ips_array_save = ""; + exec('/sbin/pfctl -t snort2c -T show', $blocked_ips_array_save); + /* build the list */ + if (is_array($blocked_ips_array_save) && count($blocked_ips_array_save) > 0) { + ob_start(); //important or other posts will fail + $save_date = exec('/bin/date "+%Y-%m-%d-%H-%M-%S"'); + $file_name = "snort_blocked_{$save_date}.tar.gz"; + exec('/bin/mkdir -p /tmp/snort_blocked'); file_put_contents("/tmp/snort_blocked/snort_block.pf", ""); - foreach($blocked_ips_array_save as $counter => $fileline) + foreach($blocked_ips_array_save as $counter => $fileline) { + if (empty($fileline)) + continue; + $fileline = trim($fileline, " \n\t"); file_put_contents("/tmp/snort_blocked/snort_block.pf", "{$fileline}\n", FILE_APPEND); - } - - exec("/usr/bin/tar cfz /tmp/snort_blocked_{$save_date}.tar.gz /tmp/snort_blocked"); - - if(file_exists("/tmp/snort_blocked_{$save_date}.tar.gz")) { - header("Expires: Mon, 26 Jul 1997 05:00:00 GMT\n"); - header("Pragma: private"); // needed for IE - header("Cache-Control: private, must-revalidate"); // needed for IE - header('Content-type: application/force-download'); - header('Content-Transfer-Encoding: Binary'); - header("Content-length: " . filesize("/tmp/snort_blocked_{$save_date}.tar.gz")); - header("Content-disposition: attachment; filename = {$file_name}"); - readfile("$file"); - od_end_clean(); //importanr or other post will fail - @unlink("/tmp/snort_blocked_{$save_date}.tar.gz"); - @unlink("/tmp/snort_block.pf"); - @unlink("/tmp/snort_blocked/snort_block.pf"); + } + + exec("/usr/bin/tar cfz /tmp/snort_blocked_{$save_date}.tar.gz /tmp/snort_blocked"); + + if(file_exists("/tmp/{$file_name}")) { + header("Expires: Mon, 26 Jul 1997 05:00:00 GMT\n"); + header("Pragma: private"); // needed for IE + header("Cache-Control: private, must-revalidate"); // needed for IE + header('Content-type: application/force-download'); + header('Content-Transfer-Encoding: Binary'); + header("Content-length: " . filesize("/tmp/{$file_name}")); + header("Content-disposition: attachment; filename = {$file_name}"); + readfile("/tmp/{$file_name}"); + ob_end_clean(); //importanr or other post will fail + @unlink("/tmp/snort_blocked_{$save_date}.tar.gz"); + @unlink("/tmp/snort_blocked/snort_block.pf"); + } else + $savemsg = "An error occurred while createing archive"; } else - echo 'Error no saved file.'; - + $savemsg = "No content on snort block list"; } if ($_POST['save']) { - /* no errors */ - if (!$input_errors) - { + if (!$input_errors) { $config['installedpackages']['snortglobal']['alertsblocks']['brefresh'] = $_POST['brefresh'] ? 'on' : 'off'; $config['installedpackages']['snortglobal']['alertsblocks']['blertnumber'] = $_POST['blertnumber']; @@ -123,37 +123,18 @@ function get_snort_alert_ip_src($fileline) $re2='((?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))(?![\\d])'; # IPv4 IP Address 1 if ($c=preg_match_all ("/".$re1.$re2."/is", $fileline, $matches4)) - $alert_ip_src = $matches4[1][0]; + return $matches4[1][0]; - return $alert_ip_src; + return ""; } function get_snort_alert_disc($fileline) { /* disc */ - if (preg_match("/\[\*\*\] (\[.*\]) (.*) (\[\*\*\])/", $fileline, $matches)) - $alert_disc = "$matches[2]"; - - return $alert_disc; -} - -/* build sec filters */ -function get_snort_block_ip($fileline) -{ - /* ip */ - if (preg_match("/\[\d+\.\d+\.\d+\.\d+\]/", $fileline, $matches)) - $alert_block_ip = "$matches[0]"; - - return $alert_block_ip; -} - -function get_snort_block_disc($fileline) -{ - /* disc */ - if (preg_match("/\]\s\[.+\]$/", $fileline, $matches)) - $alert_block_disc = "$matches[0]"; + if (preg_match("/\[\*\*\]\s+(\[[0-9:]+\])\s+(.+)\s+(\[\*\*\])/", $fileline, $matches)) + return "{$matches[2]}"; - return $alert_block_disc; + return ""; } /* tell the user what settings they have */ @@ -278,100 +259,81 @@ if ($pconfig['brefresh'] == 'on') <td class="listhdrr">IP</td> <td class="listhdrr">Alert Description</td> </tr> - <?php - - /* set the arrays */ - exec('/sbin/pfctl -t snort2c -T show > /tmp/snort_block.cache'); - $blocked_ips_array = explode("\n", str_replace(' ', '', file_get_contents('/tmp/snort_block.cache'))); - if (!empty($blocked_ips_array)) { - $input = array(); - $alert_ip_src_array = array(); - foreach (glob("/var/log/snort/*/alert") as $alert) { + <?php + /* set the arrays */ + $blocked_ips = ""; + exec('/sbin/pfctl -t snort2c -T show', $blocked_ips); + $blocked_ips_array = array(); + if (!empty($blocked_ips)) { + $blocked_ips_array = array(); + if (is_array($blocked_ips)) { + foreach ($blocked_ips as $blocked_ip) { + if (empty($blocked_ip)) + continue; + $blocked_ips_array[] = trim($blocked_ip, " \n\t"); + } + } + $input = array(); + $alert_ip_src_array = array(); + foreach (glob("/var/log/snort/*/alert") as $alert) { + if ($pconfig['snortalertlogtype'] == 'full') $alerts_array = array_reverse(explode("\n\n", file_get_contents($alert))); - if (!empty($alerts_array[0])) { - /* build the list and compare blocks to alerts */ - $counter = 0; - foreach($alerts_array as $fileline) { - - $counter++; - - $alert_ip_src = get_snort_alert_ip_src($fileline); - $alert_ip_disc = get_snort_alert_disc($fileline); - $alert_ip_src_array[] = get_snort_alert_ip_src($fileline); - - if (in_array("$alert_ip_src", $blocked_ips_array)) - $input[] = "[$alert_ip_src] " . "[$alert_ip_disc]\n"; - } + else + $alerts_array = array_reverse(file($alert)); + /* build the list and compare blocks to alerts */ + foreach($alerts_array as $counter => $fileline) { + if (empty($fileline)) + continue; + $alert_ip_src = get_snort_alert_ip_src($fileline); + $alert_ip_disc = get_snort_alert_disc($fileline); + $alert_ip_src_array[] = $alert_ip_src; + if (!empty($blocked_ips_array) && in_array("$alert_ip_src", $blocked_ips_array)) { + if (!isset($input[$alert_ip_src])) + $input[$alert_ip_src] = "{$alert_ip_disc}\n"; } } - - foreach($blocked_ips_array as $alert_block_ip) { - if (is_ipaddr($alert_block_ip) && !in_array($alert_block_ip, $alert_ip_src_array)) - $input[] = "[$alert_block_ip] " . "[N\A]\n"; - } - - /* reduce double occurrences */ - $result = array_unique($input); - - /* buil final list, preg_match, buld html */ - $counter2 = 0; - $logent = $bnentries; - - foreach($result as $fileline) { - if($logent <= $counter2) - continue; - - $counter2++; - - $alert_block_ip_str = get_snort_block_ip($fileline); - - if($alert_block_ip_str != '') { - $alert_block_ip_match = array('[',']'); - $alert_block_ip = str_replace($alert_block_ip_match, '', "$alert_block_ip_str"); - } else - $alert_block_ip = 'empty'; - - $alert_block_disc_str = get_snort_block_disc($fileline); - - if($alert_block_disc_str != '') { - $alert_block_disc_match = array('] [',']'); - $alert_block_disc = str_replace($alert_block_disc_match, '', "$alert_block_disc_str"); - }else - $alert_block_disc = 'empty'; - - /* use one echo to do the magic*/ - echo "<tr> - <td align=\"center\" valign=\"top\"'><a href='snort_blocked.php?todelete=" . trim(urlencode($alert_block_ip)) . "'> + } + + foreach($blocked_ips_array as $blocked_ip) { + if (is_ipaddr($blocked_ip) && !isset($input[$blocked_ip])) + $input[] = "N\A\n"; + } + + /* buil final list, preg_match, buld html */ + $counter = 0; + foreach($input as $blocked_ip => $blocked_desc) { + if($counter > $bnentries) + break; + else + $counter++; + + /* use one echo to do the magic*/ + echo "<tr> + <td align=\"center\" valign=\"top\"'><a href='snort_blocked.php?todelete=" . trim(urlencode($blocked_ip)) . "'> <img title=\"Delete\" border=\"0\" name='todelete' id='todelete' alt=\"Delete\" src=\"../themes/{$g['theme']}/images/icons/icon_x.gif\"></a></td> - <td> {$counter2}</td> - <td> {$alert_block_ip}</td> - <td> {$alert_block_disc}</td> + <td> {$counter}</td> + <td> {$blocked_ip}</td> + <td> {$blocked_desc}</td> </tr>\n"; - } + } - echo '</table>' . "\n"; - echo "\n<tr><td colspan='3' align=\"center\" valign=\"top\">{$counter2} items listed.</td></tr>"; - } else - echo "\n<tr><td colspan='3' align=\"center\" valign=\"top\"><br><strong>There are currently no items being blocked by snort.</strong></td></tr>"; + echo '</table>' . "\n"; + echo "\n<tr><td colspan='3' align=\"center\" valign=\"top\">{$counter} items listed.</td></tr>"; + } else + echo "\n<tr><td colspan='3' align=\"center\" valign=\"top\"><br><strong>There are currently no items being blocked by snort.</strong></td></tr>"; - ?> - </td> - </tr> - </table> + ?> </td> - </tr> - </table> - </div> - - <?php - - include("fend.inc"); - -echo $snort_custom_rnd_box; - + </tr> + </table> + </td> + </tr> +</table> +</div> +<?php +include("fend.inc"); ?> - </body> </html> |