diff options
-rw-r--r-- | config/pfblockerng/pfblockerng_alerts.php | 149 |
1 files changed, 139 insertions, 10 deletions
diff --git a/config/pfblockerng/pfblockerng_alerts.php b/config/pfblockerng/pfblockerng_alerts.php index 0164a4d2..e092b25c 100644 --- a/config/pfblockerng/pfblockerng_alerts.php +++ b/config/pfblockerng/pfblockerng_alerts.php @@ -69,6 +69,9 @@ $filter_logfile = "{$g['varlog_path']}/filter.log"; $pathgeoipdat = "/usr/pbi/pfblockerng-" . php_uname("m") . "/share/GeoIP/GeoIP.dat"; $pathgeoipdat6 = "/usr/pbi/pfblockerng-" . php_uname("m") . "/share/GeoIP/GeoIPv6.dat"; +// Define Alerts Log filter Rollup window variable. (Alert Filtering Code adapted from B.Meeks - Snort Package) +$pfb['filterlogentries'] = FALSE; + // Emerging Threats IQRisk Header Name Reference $pfb['et_header'] = TRUE; $et_header = $config['installedpackages']['pfblockerngreputation']['config'][0]['et_header']; @@ -127,6 +130,54 @@ if (is_array($config['installedpackages']['pfblockerngglobal'])) { $pfbmatchcnt = $config['installedpackages']['pfblockerngglobal']['pfbmatchcnt']; } + +function pfb_match_filter_field($flent, $fields) { + foreach ($fields as $key => $field) { + if ($field == null) + continue; + if ((strpos($field, '!') === 0)) { + $field = substr($field, 1); + $field_regex = str_replace('/', '\/', str_replace('\/', '/', $field)); + if (@preg_match("/{$field_regex}/i", $flent[$key])) + return false; + } + else { + $field_regex = str_replace('/', '\/', str_replace('\/', '/', $field)); + if (!@preg_match("/{$field_regex}/i", $flent[$key])) + return false; + } + } + return true; +} + + +if ($_POST['filterlogentries_submit']) { + // Set flag for filtering alert entries + $pfb['filterlogentries'] = TRUE; + + // Note the order of these fields must match the order decoded from the alerts log + $filterfieldsarray = array(); + $filterfieldsarray[0] = $_POST['filterlogentries_rule'] ? $_POST['filterlogentries_rule'] : null; + $filterfieldsarray[2] = $_POST['filterlogentries_int'] ? $_POST['filterlogentries_int'] : null; + $filterfieldsarray[6] = strtolower($_POST['filterlogentries_proto']) ? $_POST['filterlogentries_proto'] : null; + + // Remove any zero-length spaces added to the IP address that could creep in from a copy-paste operation + $filterfieldsarray[7] = $_POST['filterlogentries_srcip'] ? str_replace("\xE2\x80\x8B", "", $_POST['filterlogentries_srcip']) : null; + $filterfieldsarray[8] = $_POST['filterlogentries_dstip'] ? str_replace("\xE2\x80\x8B", "", $_POST['filterlogentries_dstip']) : null; + + $filterfieldsarray[9] = $_POST['filterlogentries_srcport'] ? $_POST['filterlogentries_srcport'] : null; + $filterfieldsarray[10] = $_POST['filterlogentries_dstport'] ? $_POST['filterlogentries_dstport'] : null; + $filterfieldsarray[90] = $_POST['filterlogentries_dnsbl'] ? $_POST['filterlogentries_dnsbl'] : null; + $filterfieldsarray[99] = $_POST['filterlogentries_date'] ? $_POST['filterlogentries_date'] : null; +} + + +if ($_POST['filterlogentries_clear']) { + $pfb['filterlogentries'] = TRUE; + $filterfieldsarray = array(); +} + + // Collect pfBlockerNG Firewall Rules if (!empty($results)) { foreach ($results as $result) { @@ -298,7 +349,7 @@ function check_lan_dest($lan_ip,$lan_mask,$dest_ip,$dest_mask="32") { // Parse Filter log for pfBlockerNG Alerts function conv_log_filter_lite($logfile, $nentries, $tail, $pfbdenycnt, $pfbpermitcnt, $pfbmatchcnt) { - global $rule_list; + global $pfb, $rule_list, $filterfieldsarray; $fields_array = array(); $logarr = ""; $denycnt = 0; @@ -360,8 +411,13 @@ function conv_log_filter_lite($logfile, $nentries, $tail, $pfbdenycnt, $pfbpermi if (($pfbalert[3] . $pfbalert[8] . $pfbalert[10]) == $previous_dstip || ($pfbalert[3] . $pfbalert[7] . $pfbalert[9]) == $previous_srcip) continue; - $pfbalert[2] = convert_real_interface_to_friendly_descr($rule_data[4]); // Friendly Interface Name - $pfbalert[6] = strtoupper($pfbalert[6]); + $pfbalert[2] = convert_real_interface_to_friendly_descr($rule_data[4]); // Friendly Interface Name + $pfbalert[6] = str_replace("TCP", "TCP-", strtoupper($pfbalert[6]), $pfbalert[6]) . $pfbalert[11]; // Protocol Flags + + // If Alerts Filtering is selected, process Filters as required. + if ($pfb['filterlogentries'] && !pfb_match_filter_field($pfbalert, $filterfieldsarray)) { + continue; + } if ($pfbalert[3] == "block") { if ($denycnt < $pfbdenycnt) { @@ -445,7 +501,7 @@ if ($savemsg) { </tr> <tr> <td><div id="mainarea"> - <table id="maintable" class="tabcont" width="100%" border="0" cellspacing="0" cellpadding="6"> + <table id="maintable" class="tabcont" width="100%" border="0" cellspacing="0" cellpadding="4"> <tr> <td colspan="3" class="vncell" align="left"><?php echo gettext("LINKS :"); ?> <a href='/firewall_aliases.php' target="_blank"><?php echo gettext("Firewall Alias"); ?></a> @@ -473,6 +529,71 @@ if ($savemsg) { <?php printf(gettext("Currently Suppressing %s$pfbsupp_cnt%s Hosts."), '<strong>', '</strong>');?> </td> </tr> + <tr> + <td colspan="3" class="listtopic"><?php echo gettext("Alert Log View Filter"); ?></td> + </tr> + <tr id="filter_enable_row" style="display:<?php if (!$pfb['filterlogentries']) {echo "table-row;";} else {echo "none;";} ?>"> + <td width="10%" class="vncell"><?php echo gettext('Filter Options'); ?></td> + <td width="90%" class="vtable"> + <input name="show_filter" id="show_filter" type="button" class="formbtns" value="<?=gettext("Show Filter");?>" onclick="enable_showFilter();" /> + <?=gettext("Click to display advanced filtering options dialog");?> + </td> + </tr> + <tr id="filter_options_row" style="display:<?php if (!$pfb['filterlogentries']) {echo "none;";} else {echo "table-row;";} ?>"> + <td colspan="2"> + <table width="100%" border="0" cellspacing="0" cellpadding="1" summary="action"> + <tr> + <td valign="top"> + <div align="center"><?=gettext("Date");?></div> + <div align="center"><input id="filterlogentries_date" name="filterlogentries_date" class="formfld search" type="text" size="15" value="<?= $filterfieldsarray[99] ?>" /></div> + </td> + <td valign="top"> + <div align="center"><?=gettext("Interface");?></div> + <div align="center"><input id="filterlogentries_int" name="filterlogentries_int" class="formfld search" type="text" size="15" value="<?= $filterfieldsarray[2] ?>" /></div> + </td> + <td valign="top"> + <div align="center"><?=gettext("Rule Number Only");?></div> + <div align="center"><input id="filterlogentries_rule" name="filterlogentries_rule" class="formfld search" type="text" size="15" value="<?= $filterfieldsarray[0] ?>" /></div> + </td> + <td valign="top"> + <div align="center"><?=gettext("Protocol");?></div> + <div align="center"><input id="filterlogentries_proto" name="filterlogentries_proto" class="formfld search" type="text" size="15" value="<?= $filterfieldsarray[6] ?>" /></div> + </td> + </tr> + <tr> + <td valign="top"> + <div align="center"><?=gettext("Source IP Address");?></div> + <div align="center"><input id="filterlogentries_srcip" name="filterlogentries_srcip" class="formfld search" type="text" size="28" value="<?= $filterfieldsarray[7] ?>" /></div> + </td> + <td valign="top"> + <div align="center"><?=gettext("Source Port");?></div> + <div align="center"><input id="filterlogentries_srcport" name="filterlogentries_srcport" class="formfld search" type="text" size="5" value="<?= $filterfieldsarray[9] ?>" /></div> + </td> + <td valign="top"> + <div align="center"><?=gettext("Destination IP Address");?></div> + <div align="center"><input id="filterlogentries_dstip" name="filterlogentries_dstip" class="formfld search" type="text" size="28" value="<?= $filterfieldsarray[8] ?>" /></div> + </td> + <td valign="top"> + <div align="center"><?=gettext("Destination Port");?></div> + <div align="center"><input id="filterlogentries_dstport" name="filterlogentries_dstport" class="formfld search" type="text" size="5" value="<?= $filterfieldsarray[10] ?>" /></div> + </td> + </tr> + <td colspan="5" style="vertical-align:bottom"> + + <br /><?printf(gettext('Regex Style Matching Only! %1$s Regular Expression Help link%2$s.'), '<a target="_blank" href="http://www.php.net/manual/en/book.pcre.php">', '</a>');?>   <?=gettext("Precede with exclamation (!) as first character to exclude match.) ");?> + <br /><?printf(gettext("Example: ( ^80$ - Match Port 80, ^80$|^8080$ - Match both port 80 & 8080 ) "));?><br /> + </tr> + <tr> + <td colspan="1" style="vertical-align:bottom"> + <div align="left"><input id="filterlogentries_submit" name="filterlogentries_submit" type="submit" class="formbtns" value="<?=gettext("Apply Filter");?>" title="<?=gettext("Apply filter"); ?>" /> + <input id="filterlogentries_clear" name="filterlogentries_clear" type="submit" class="formbtns" value="<?=gettext("Clear");?>" title="<?=gettext("Remove filter");?>" /> + <input id="filterlogentries_hide" name="filterlogentries_hide" type="button" class="formbtns" value="<?=gettext("Hide");?>" onclick="enable_hideFilter();" title="<?=gettext("Hide filter options");?>" /></div> + </td> + </tr> + </table> + </td> + </tr> + <!--Create Three Output Windows 'Deny', 'Permit' and 'Match'--> <?php foreach (array ("Deny" => $pfb['denydir'] . " " . $pfb['nativedir'], "Permit" => $pfb['permitdir'], "Match" => $pfb['matchdir']) as $type => $pfbfolder ): switch($type) { @@ -632,8 +753,6 @@ if (!empty($fields_array[$type]) && !empty($rule_list)) { $rulenum = $fields[0]; if ($counter < $pfbentries) { - $proto = str_replace("TCP", "TCP-", $fields[6]) . $fields[11]; - // Cleanup Port Output if ($fields[6] == "ICMP" || $fields[6] == "ICMPV6") { $srcport = ""; @@ -660,7 +779,7 @@ if (!empty($fields_array[$type]) && !empty($rule_list)) { if ($pfb_query != "Country" && $rtype == "block" && $pfb['supp'] == "on") { $supp_ip .= "<input type='image' name='addsuppress[]' onclick=\"hostruleid('{$host}','{$rule_list[$rulenum]['name']}');\" "; - $supp_ip .= "src=\"../themes/{$g['theme']}/images/icons/icon_plus.gif\" title=\""; + $supp_ip .= "src=\"../themes/{$g['theme']}/images/icons/icon_pass_add.gif\" title=\""; $supp_ip .= gettext($supp_ip_txt) . "\" border=\"0\" width='11' height='11'/>"; } @@ -683,7 +802,7 @@ if (!empty($fields_array[$type]) && !empty($rule_list)) { if ($pfb_query != "Country" && $rtype == "block" && $pfb['supp'] == "on") { $supp_ip .= "<input type='image' name='addsuppress[]' onclick=\"hostruleid('{$host}','{$rule_list[$rulenum]['name']}');\" "; - $supp_ip .= "src=\"../themes/{$g['theme']}/images/icons/icon_plus.gif\" title=\""; + $supp_ip .= "src=\"../themes/{$g['theme']}/images/icons/icon_pass_add.gif\" title=\""; $supp_ip .= gettext($supp_ip_txt) . "\" border=\"0\" width='11' height='11'/>"; } @@ -757,7 +876,7 @@ if (!empty($fields_array[$type]) && !empty($rule_list)) { } } elseif (is_ipaddrv6($host) && $pfb_query != "Country") { - $pfb_query = exec("/usr/bin/grep -Hm1 '{$host}' {$pfbfolder} | sed -e 's/^.*[a-zA-Z]\///' -e 's/\.txt:/ /' | grep -v 'pfB\_'"); + $pfb_query = exec("/usr/bin/grep -Hm1 {$host} {$pfbfolder} | sed -e 's/^.*[a-zA-Z]\///' -e 's/\.txt:/ /' | grep -v 'pfB\_'"); } // Default to "No Match" if not found. @@ -809,7 +928,7 @@ if (!empty($fields_array[$type]) && !empty($rule_list)) { <td class='listMRr' align='center'>{$fields[99]}</td> <td class='listMRr' align='center'>{$fields[2]}</td> <td class='listMRr' align='center' title='The pfBlockerNG Rule that Blocked this Host.'>{$rule}</td> - <td class='listMRr' align='center'>{$proto}</td> + <td class='listMRr' align='center'>{$fields[6]}</td> <td class='listMRr' align='center' style='sorttable_customkey:{$fields[7]};' sorttable_customkey='{$fields[7]}'>{$src_icons}{$fields[97]}{$srcport}<br /><small>{$hostname['src']}</small></td> <td class='listMRr' align='center' style='sorttable_customkey:{$fields[8]};' sorttable_customkey='{$fields[8]}'>{$dst_icons}{$fields[98]}{$dstport}<br /><small>{$hostname['dst']}</small></td> <td class='listMRr' align='center'>{$country}</td> @@ -872,6 +991,16 @@ if ( autoresolve == "on" ) { } } +function enable_showFilter() { + document.getElementById("filter_enable_row").style.display="none"; + document.getElementById("filter_options_row").style.display="table-row"; +} + +function enable_hideFilter() { + document.getElementById("filter_enable_row").style.display="table-row"; + document.getElementById("filter_options_row").style.display="none"; +} + //]]> </script> <?php include("fend.inc"); ?> |