diff options
Diffstat (limited to 'config/snort-dev/snort_blocked.php')
| -rw-r--r-- | config/snort-dev/snort_blocked.php | 501 |
1 files changed, 367 insertions, 134 deletions
diff --git a/config/snort-dev/snort_blocked.php b/config/snort-dev/snort_blocked.php index fdc12480..932e0983 100644 --- a/config/snort-dev/snort_blocked.php +++ b/config/snort-dev/snort_blocked.php @@ -1,18 +1,12 @@ <?php /* $Id$ */ /* - - part of pfSense - All rights reserved. - - Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>. + snort_blocked.php + Copyright (C) 2006 Scott Ullrich All rights reserved. - Pfsense Old snort GUI - Copyright (C) 2006 Scott Ullrich. - - Pfsense snort GUI - Copyright (C) 2008-2012 Robert Zelaya. + Modified for the Pfsense snort package v. 1.8+ + Copyright (C) 2009 Robert Zelaya Sr. Developer Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: @@ -24,10 +18,6 @@ notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. - 3. Neither the name of the pfSense nor the names of its contributors - may be used to endorse or promote products derived from this software without - specific prior written permission. - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE @@ -38,156 +28,399 @@ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ require_once("guiconfig.inc"); -require_once("/usr/local/pkg/snort/snort_new.inc"); require_once("/usr/local/pkg/snort/snort_gui.inc"); +require_once("/usr/local/pkg/snort/snort.inc"); + +if (!is_array($config['installedpackages']['snortglobal']['alertsblocks'])) + $config['installedpackages']['snortglobal']['alertsblocks'] = array(); + +$pconfig['brefresh'] = $config['installedpackages']['snortglobal']['alertsblocks']['brefresh']; +$pconfig['blertnumber'] = $config['installedpackages']['snortglobal']['alertsblocks']['blertnumber']; + +if ($pconfig['blertnumber'] == '' || $pconfig['blertnumber'] == '0') +{ + $bnentries = '500'; +}else{ + $bnentries = $pconfig['blertnumber']; +} + +if($_POST['todelete'] or $_GET['todelete']) { + if($_POST['todelete']) + $ip = $_POST['todelete']; + if($_GET['todelete']) + $ip = $_GET['todelete']; + exec("/sbin/pfctl -t snort2c -T delete {$ip}"); +} + +if ($_POST['remove']) { + exec("/sbin/pfctl -t snort2c -T flush"); + sleep(1); + header("Location: /snort/snort_blocked.php"); + exit; + +} + +/* TODO: build a file with block ip and disc */ +if ($_POST['download']) +{ + + ob_start(); //important or other posts will fail + $save_date = exec('/bin/date "+%Y-%m-%d-%H-%M-%S"'); + $file_name = "snort_blocked_{$save_date}.tar.gz"; + exec('/bin/mkdir /tmp/snort_blocked'); + exec('/sbin/pfctl -t snort2c -T show > /tmp/snort_block.pf'); + + $blocked_ips_array_save = str_replace(' ', '', array_filter(explode("\n", file_get_contents('/tmp/snort_block.pf')))); + + if ($blocked_ips_array_save[0] != '') { + /* build the list */ + file_put_contents("/tmp/snort_blocked/snort_block.pf", ""); + foreach($blocked_ips_array_save as $counter => $fileline3) + file_put_contents("/tmp/snort_blocked/snort_block.pf", "{$fileline3}\n", FILE_APPEND); + } + + exec("/usr/bin/tar cfz /tmp/snort_blocked_{$save_date}.tar.gz /tmp/snort_blocked"); + + if(file_exists("/tmp/snort_blocked_{$save_date}.tar.gz")) { + $file = "/tmp/snort_blocked_{$save_date}.tar.gz"; + header("Expires: Mon, 26 Jul 1997 05:00:00 GMT\n"); + header("Pragma: private"); // needed for IE + header("Cache-Control: private, must-revalidate"); // needed for IE + header('Content-type: application/force-download'); + header('Content-Transfer-Encoding: Binary'); + header("Content-length: ".filesize($file)); + header("Content-disposition: attachment; filename = {$file_name}"); + readfile("$file"); + exec("/bin/rm /tmp/snort_blocked_{$save_date}.tar.gz"); + exec("/bin/rm /tmp/snort_block.pf"); + exec("/bin/rm /tmp/snort_blocked/snort_block.pf"); + od_end_clean(); //importanr or other post will fail + } else + echo 'Error no saved file.'; + +} + +if ($_POST['save']) +{ + + /* input validation */ + if ($_POST['save']) + { + + + } + + /* no errors */ + if (!$input_errors) + { + $config['installedpackages']['snortglobal']['alertsblocks']['brefresh'] = $_POST['brefresh'] ? 'on' : 'off'; + $config['installedpackages']['snortglobal']['alertsblocks']['blertnumber'] = $_POST['blertnumber']; + + write_config(); -//Set no caching -header("Expires: Mon, 26 Jul 1997 05:00:00 GMT"); -header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT"); -header("Cache-Control: no-store, no-cache, must-revalidate"); -header("Cache-Control: post-check=0, pre-check=0", false); -header("Pragma: no-cache"); + header("Location: /snort/snort_blocked.php"); + } -$generalSettings = snortSql_fetchAllSettings('snortDB', 'SnortSettings', 'id', '1'); +} -$blertnumber = $generalSettings['blertnumber']; +/* build filter funcs */ +function get_snort_alert_ip_src($fileline) +{ + /* SRC IP */ + $re1='.*?'; # Non-greedy match on filler + $re2='((?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))(?![\\d])'; # IPv4 IP Address 1 -$brefresh_on = ($generalSettings['brefresh'] == 'on' ? 'checked' : ''); + if ($c=preg_match_all ("/".$re1.$re2."/is", $fileline, $matches4)) + $alert_ip_src = $matches4[1][0]; - $pgtitle = "Services: Snort Blocked Hosts"; - include("/usr/local/pkg/snort/snort_head.inc"); + return $alert_ip_src; +} + +function get_snort_alert_disc($fileline) +{ + /* disc */ + if (preg_match("/\[\*\*\] (\[.*\]) (.*) (\[\*\*\])/", $fileline, $matches)) + $alert_disc = "$matches[2]"; + + return $alert_disc; +} + +/* build sec filters */ +function get_snort_block_ip($fileline) +{ + /* ip */ + if (preg_match("/\[\d+\.\d+\.\d+\.\d+\]/", $fileline, $matches)) + $alert_block_ip = "$matches[0]"; + + return $alert_block_ip; +} + +function get_snort_block_disc($fileline) +{ + /* disc */ + if (preg_match("/\]\s\[.+\]$/", $fileline, $matches)) + $alert_block_disc = "$matches[0]"; + + return $alert_block_disc; +} + +/* tell the user what settings they have */ +$blockedtab_msg_chk = $config['installedpackages']['snortglobal']['rm_blocked']; +if ($blockedtab_msg_chk == "1h_b") { + $blocked_msg = "hour"; +} +if ($blockedtab_msg_chk == "3h_b") { + $blocked_msg = "3 hours"; +} +if ($blockedtab_msg_chk == "6h_b") { + $blocked_msg = "6 hours"; +} +if ($blockedtab_msg_chk == "12h_b") { + $blocked_msg = "12 hours"; +} +if ($blockedtab_msg_chk == "1d_b") { + $blocked_msg = "day"; +} +if ($blockedtab_msg_chk == "4d_b") { + $blocked_msg = "4 days"; +} +if ($blockedtab_msg_chk == "7d_b") { + $blocked_msg = "7 days"; +} +if ($blockedtab_msg_chk == "28d_b") { + $blocked_msg = "28 days"; +} + +if ($blockedtab_msg_chk != "never_b") +{ + $blocked_msg_txt = "Hosts are removed every <strong>$blocked_msg</strong>."; +}else{ + $blocked_msg_txt = "Settings are set to never <strong>remove</strong> hosts."; +} + +$pgtitle = "Services: Snort Blocked Hosts"; +include_once("head.inc"); ?> - - -<body link="#0000CC" vlink="#0000CC" alink="#0000CC"> - -<!-- loading msg --> -<div id="loadingWaiting"> - <div class="snortModal" style="top: 200px; left: 700px;"> - <div class="snortModalTop"> - <!-- <div class="snortModalTopClose"><a href="javascript:hideLoading('#loadingWaiting');"><img src="/snort/images/close_9x9.gif" border="0" height="9" width="9"></a></div> --> - </div> - <div class="snortModalTitle"> - <p><img src="./images/loading.gif" /><br><br>Please Wait...</p> - </div> - <div> - <p class="loadingWaitingMessage"></p> - </div> - </div> -</div> - -<?php include("fbegin.inc"); ?> -<!-- hack to fix the hardcoed fbegin link in header --> -<div id="header-left2"> -<a href="../index.php" id="status-link2"> -<img src="./images/transparent.gif" border="0"></img> -</a> -</div> - -<div class="body2"><!-- hack to fix the hardcoed fbegin link in header --> -<div id="header-left2"><a href="../index.php" id="status-link2"><img src="./images/transparent.gif" border="0"></img></a></div> - -<table width="100%" border="0" cellpadding="0" cellspacing="0"> - <tr> - <td> - <div class="newtabmenu" style="margin: 1px 0px; width: 775px;"><!-- Tabbed bar code--> - <ul class="newtabmenu"> - <li><a href="/snort/snort_interfaces.php"><span>Snort Interfaces</span></a></li> - <li><a href="/snort/snort_interfaces_global.php"><span>Global Settings</span></a></li> - <li><a href="/snort/snort_download_updates.php"><span>Updates</span></a></li> - <li><a href="/snort/snort_interfaces_rules.php"><span>RulesDB</span></a></li> - <li><a href="/snort/snort_alerts.php"><span>Alerts</span></a></li> - <li class="newtabmenu_active"><a href="/snort/snort_blocked.php"><span>Blocked</span></a></li> - <li><a href="/snort/snort_interfaces_whitelist.php"><span>Whitelists</span></a></li> - <li><a href="/snort/snort_interfaces_suppress.php"><span>Suppress</span></a></li> - <li><a href="/snort/snort_help_info.php"><span>Help</span></a></li> - </ul> - </div> +<body link="#000000" vlink="#000000" alink="#000000"> - </td> - </tr> +<?php + +include_once("fbegin.inc"); +echo $snort_general_css; + +/* refresh every 60 secs */ +if ($pconfig['brefresh'] == 'on') + echo "<meta http-equiv=\"refresh\" content=\"60;url=/snort/snort_blocked.php\" />\n"; +?> + +<div class="body2"><?if($pfsense_stable == 'yes'){echo '<p class="pgtitle">' . $pgtitle . '</p>';}?> + +<?php if ($savemsg) print_info_box($savemsg); ?> +<table width="99%" border="0" cellpadding="0" cellspacing="0"> +<tr><td> +<?php + $tab_array = array(); + $tab_array[0] = array(gettext("Snort Interfaces"), false, "/snort/snort_interfaces.php"); + $tab_array[1] = array(gettext("Global Settings"), false, "/snort/snort_interfaces_global.php"); + $tab_array[2] = array(gettext("Updates"), false, "/snort/snort_download_updates.php"); + $tab_array[3] = array(gettext("Alerts"), false, "/snort/snort_alerts.php"); + $tab_array[4] = array(gettext("Blocked"), true, "/snort/snort_blocked.php"); + $tab_array[5] = array(gettext("Whitelists"), false, "/snort/snort_interfaces_whitelist.php"); + $tab_array[6] = array(gettext("Suppress"), false, "/snort/snort_interfaces_suppress.php"); + $tab_array[7] = array(gettext("Help"), false, "/snort/help_and_info.php"); + display_top_tabs($tab_array); +?> +</td></tr> <tr> - <td id="tdbggrey"> - <table width="100%" border="0" cellpadding="10px" cellspacing="0"> - <tr> - <td class="tabnavtbl"> - <table width="100%" border="0" cellpadding="6" cellspacing="0"> - <!-- START MAIN AREA --> - - <tr id="maintable" data-options='{"pagetable":"SnortSettings"}'> <!-- db to lookup --> - <td width="22%" colspan="0" class="listtopic">Last 500 Blocked.</td> - <td class="listtopic">This page lists hosts that have been blocked by Snort. Hosts are removed every <strong>hour</strong>.</td> + <td> + <div id="mainarea2"> + + <table id="maintable" class="tabcont" width="100%" border="0" + cellpadding="0" cellspacing="0"> + <tr> + <td width="22%" colspan="0" class="listtopic">Last <?=$bnentries;?> + Blocked.</td> + <td width="78%" class="listtopic">This page lists hosts that have + been blocked by Snort. <?=$blocked_msg_txt;?></td> </tr> - <table width="100%" border="0" cellpadding="6" cellspacing="0"> <tr> - <td class="vncell2" valign="center" width="22%"><span class="vexpl">Save or Remove Hosts</span></td> - <td width="40%" class="vtable"> - <form id="iform" > - <input name="snortblockedlogsdownload" type="submit" class="formbtn" value="Download" > - <input type="hidden" name="snortblockedlogsdownload" value="1" /> - <span class="vexpl">Save All Blocked Hosts</span> - </form> + <td width="22%" class="vncell">Save or Remove Hosts</td> + <td width="78%" class="vtable"> + <form action="/snort/snort_blocked.php" method="post"><input + name="download" type="submit" class="formbtn" value="Download"> All + blocked hosts will be saved. <input name="remove" type="submit" + class="formbtn" value="Clear"> <span class="red"><strong>Warning:</strong></span> + all hosts will be removed.</form> </td> - <td class="vtable"> - <form id="iform2" > - <input name="remove" type="submit" class="formbtn" value="Clear" onclick="return confirm('Do you really want to remove all blocked hosts ? All Blocked Hosts will be removed !')" > - <input type="hidden" name="snortflushpftable" value="1" /> - <span class="vexpl red"><strong>Warning:</strong></span><span class="vexpl"> all hosts will be removed.</span> - </form> - </td> - - <div class="hiddendownloadlink"> - </div> - </tr> <tr> - <td class="vncell2" valign="center"><span class="vexpl">Auto Refresh and Log View</span></td> - <td class="vtable"> - <form id="iform3" > - <input name="save" type="submit" class="formbtn" value="Save"> - <input id="cancel" type="button" class="formbtn" value="Cancel"> - <span class="vexpl">Auto Refresh</span> - <input name="brefresh" id="brefresh" type="checkbox" value="on" <?=$brefresh_on; ?> > - <span class="vexpl"><strong>Default ON</strong>.</span> - </td> - <td class="vtable"> - <input name="blertnumber" type="text" class="formfld2" id="blertnumber" size="5" value="<?=$blertnumber;?>" > - <span class="vexpl">Limit entries to view. <strong>Default 500</strong>.</span> - - <input type="hidden" name="snortSaveSettings" value="1" /> <!-- what to do, save --> - <input type="hidden" name="dbName" value="snortDB" /> <!-- what db --> - <input type="hidden" name="dbTable" value="SnortSettings" /> <!-- what db table --> - <input type="hidden" name="ifaceTab" value="snort_blocked" /> <!-- what interface tab --> - + <td width="22%" class="vncell">Auto Refresh and Log View</td> + <td width="78%" class="vtable"> + <form action="/snort/snort_blocked.php" method="post"><input + name="save" type="submit" class="formbtn" value="Save"> Refresh <input + name="brefresh" type="checkbox" value="on" + <?php if ($config['installedpackages']['snortglobal']['alertsblocks']['brefresh']=="on" || $config['installedpackages']['snortglobal']['alertsblocks']['brefresh']=='') echo "checked"; ?>> + <strong>Default</strong> is <strong>ON</strong>. <input + name="blertnumber" type="text" class="formfld" id="blertnumber" + size="5" value="<?=htmlspecialchars($bnentries);?>"> Enter the + number of blocked entries to view. <strong>Default</strong> is <strong>500</strong>. </form> </td> </tr> - </table> - - <!-- STOP MAIN AREA --> </table> + </div> + <br> </td> - </tr> - </table> - </td> </tr> -</table> -</div> + <table class="tabcont" width="100%" border="0" cellspacing="0" + cellpadding="0"> + <tr> + <td> + <table id="sortabletable1" class="sortable" width="100%" border="0" + cellpadding="0" cellspacing="0"> + <tr id="frheader"> + <td width="5%" class="listhdrr">Remove</td> + <td class="listhdrr">#</td> + <td class="listhdrr">IP</td> + <td class="listhdrr">Alert Description</td> + </tr> + <?php + + /* set the arrays */ + exec('/sbin/pfctl -t snort2c -T show > /tmp/snort_block.cache'); + $blocked_ips_array = str_replace(' ', '', array_filter(explode("\n", file_get_contents('/tmp/snort_block.cache')))); + foreach (glob("/var/log/snort/alert_*") as $alert) { + $alerts_array = array_reverse(explode("\n\n", file_get_contents("{$alert}"))); + + $logent = $bnentries; + + if ($blocked_ips_array[0] != '' && $alerts_array[0] != '') + { + + /* build the list and compare blocks to alerts */ + $counter = 0; + foreach($alerts_array as $fileline) + { + + $counter++; + + $alert_ip_src = get_snort_alert_ip_src($fileline); + $alert_ip_disc = get_snort_alert_disc($fileline); + $alert_ip_src_array[] = get_snort_alert_ip_src($fileline); + + if (in_array("$alert_ip_src", $blocked_ips_array)) + $input[] = "[$alert_ip_src] " . "[$alert_ip_disc]\n"; + } + + foreach($blocked_ips_array as $alert_block_ip) + { + + if (!in_array($alert_block_ip, $alert_ip_src_array)) + { + $input[] = "[$alert_block_ip] " . "[N\A]\n"; + } + } + + /* reduce double occurrences */ + $result = array_unique($input); + + /* buil final list, preg_match, buld html */ + $counter2 = 0; + + foreach($result as $fileline2) + { + if($logent <= $counter2) + continue; + + $counter2++; + + $alert_block_ip_str = get_snort_block_ip($fileline2); + + if($alert_block_ip_str != '') + { + $alert_block_ip_match = array('[',']'); + $alert_block_ip = str_replace($alert_block_ip_match, '', "$alert_block_ip_str"); + }else{ + $alert_block_ip = 'empty'; + } + + $alert_block_disc_str = get_snort_block_disc($fileline2); + + if($alert_block_disc_str != '') + { + $alert_block_disc_match = array('] [',']'); + $alert_block_disc = str_replace($alert_block_disc_match, '', "$alert_block_disc_str"); + }else{ + $alert_block_disc = 'empty'; + } + + /* use one echo to do the magic*/ + echo "<tr> + <td align=\"center\" valign=\"top\"'><a href='snort_blocked.php?todelete=" . trim(urlencode($alert_block_ip)) . "'> + <img title=\"Delete\" border=\"0\" name='todelete' id='todelete' alt=\"Delete\" src=\"../themes/{$g['theme']}/images/icons/icon_x.gif\"></a></td> + <td> {$counter2}</td> + <td> {$alert_block_ip}</td> + <td> {$alert_block_disc}</td> + </tr>\n"; + + } + + }else{ + + /* if alerts file is empty and blocked table is not empty */ + $counter2 = 0; + + foreach($blocked_ips_array as $alert_block_ip) + { + if($logent <= $counter2) + continue; + + $counter2++; + + $alert_block_disc = 'N/A'; + + /* use one echo to do the magic*/ + echo "<tr> + <td align=\"center\" valign=\"top\"'><a href='snort_blocked.php?todelete=" . trim(urlencode($alert_block_ip)) . "'> + <img title=\"Delete\" border=\"0\" name='todelete' id='todelete' alt=\"Delete\" src=\"../themes/{$g['theme']}/images/icons/icon_x.gif\"></a></td> + <td> {$counter2}</td> + <td> {$alert_block_ip}</td> + <td> {$alert_block_disc}</td> + </tr>\n"; + } + } + } + + echo '</table>' . "\n"; + + if (empty($blocked_ips_array[0])) + echo "\n<tr><td colspan='3' align=\"center\" valign=\"top\"><br><strong>There are currently no items being blocked by snort.</strong></td></tr>"; + else + echo "\n<tr><td colspan='3' align=\"center\" valign=\"top\">{$counter2} items listed.</td></tr>"; + + ?> + </td> + </tr> + </table> + </td> + </tr> + </table> + </div> + + <?php + + include("fend.inc"); -<!-- footer do not touch below --> -<?php -include("fend.inc"); echo $snort_custom_rnd_box; -?> +?> </body> </html> |