aboutsummaryrefslogtreecommitdiffstats
path: root/config/snort
diff options
context:
space:
mode:
Diffstat (limited to 'config/snort')
-rw-r--r--config/snort/snort_blocked.php254
1 files changed, 108 insertions, 146 deletions
diff --git a/config/snort/snort_blocked.php b/config/snort/snort_blocked.php
index 6994cb19..b3fb7aea 100644
--- a/config/snort/snort_blocked.php
+++ b/config/snort/snort_blocked.php
@@ -40,17 +40,19 @@ if (!is_array($config['installedpackages']['snortglobal']['alertsblocks']))
$pconfig['brefresh'] = $config['installedpackages']['snortglobal']['alertsblocks']['brefresh'];
$pconfig['blertnumber'] = $config['installedpackages']['snortglobal']['alertsblocks']['blertnumber'];
-if ($pconfig['blertnumber'] == '' || $pconfig['blertnumber'] == '0')
+if (empty($pconfig['blertnumber']))
$bnentries = '500';
else
$bnentries = $pconfig['blertnumber'];
-if($_POST['todelete'] or $_GET['todelete']) {
+if ($_POST['todelete'] || $_GET['todelete']) {
+ $ip = "";
if($_POST['todelete'])
$ip = $_POST['todelete'];
- if($_GET['todelete'])
+ else if($_GET['todelete'])
$ip = $_GET['todelete'];
- exec("/sbin/pfctl -t snort2c -T delete {$ip}");
+ if (is_ipaddr($ip))
+ exec("/sbin/pfctl -t snort2c -T delete {$ip}");
}
if ($_POST['remove']) {
@@ -62,48 +64,46 @@ if ($_POST['remove']) {
/* TODO: build a file with block ip and disc */
if ($_POST['download'])
{
-
- ob_start(); //important or other posts will fail
- $save_date = exec('/bin/date "+%Y-%m-%d-%H-%M-%S"');
- $file_name = "snort_blocked_{$save_date}.tar.gz";
- exec('/bin/mkdir /tmp/snort_blocked');
- exec('/sbin/pfctl -t snort2c -T show > /tmp/snort_block.pf');
-
- $blocked_ips_array_save = str_replace(' ', '', explode("\n", file_get_contents('/tmp/snort_block.pf')));
-
- if ($blocked_ips_array_save[0] != '') {
- /* build the list */
+ $blocked_ips_array_save = "";
+ exec('/sbin/pfctl -t snort2c -T show', $blocked_ips_array_save);
+ /* build the list */
+ if (is_array($blocked_ips_array_save) && count($blocked_ips_array_save) > 0) {
+ ob_start(); //important or other posts will fail
+ $save_date = exec('/bin/date "+%Y-%m-%d-%H-%M-%S"');
+ $file_name = "snort_blocked_{$save_date}.tar.gz";
+ exec('/bin/mkdir -p /tmp/snort_blocked');
file_put_contents("/tmp/snort_blocked/snort_block.pf", "");
- foreach($blocked_ips_array_save as $counter => $fileline)
+ foreach($blocked_ips_array_save as $counter => $fileline) {
+ if (empty($fileline))
+ continue;
+ $fileline = trim($fileline, " \n\t");
file_put_contents("/tmp/snort_blocked/snort_block.pf", "{$fileline}\n", FILE_APPEND);
- }
-
- exec("/usr/bin/tar cfz /tmp/snort_blocked_{$save_date}.tar.gz /tmp/snort_blocked");
-
- if(file_exists("/tmp/snort_blocked_{$save_date}.tar.gz")) {
- header("Expires: Mon, 26 Jul 1997 05:00:00 GMT\n");
- header("Pragma: private"); // needed for IE
- header("Cache-Control: private, must-revalidate"); // needed for IE
- header('Content-type: application/force-download');
- header('Content-Transfer-Encoding: Binary');
- header("Content-length: " . filesize("/tmp/snort_blocked_{$save_date}.tar.gz"));
- header("Content-disposition: attachment; filename = {$file_name}");
- readfile("$file");
- od_end_clean(); //importanr or other post will fail
- @unlink("/tmp/snort_blocked_{$save_date}.tar.gz");
- @unlink("/tmp/snort_block.pf");
- @unlink("/tmp/snort_blocked/snort_block.pf");
+ }
+
+ exec("/usr/bin/tar cfz /tmp/snort_blocked_{$save_date}.tar.gz /tmp/snort_blocked");
+
+ if(file_exists("/tmp/{$file_name}")) {
+ header("Expires: Mon, 26 Jul 1997 05:00:00 GMT\n");
+ header("Pragma: private"); // needed for IE
+ header("Cache-Control: private, must-revalidate"); // needed for IE
+ header('Content-type: application/force-download');
+ header('Content-Transfer-Encoding: Binary');
+ header("Content-length: " . filesize("/tmp/{$file_name}"));
+ header("Content-disposition: attachment; filename = {$file_name}");
+ readfile("/tmp/{$file_name}");
+ ob_end_clean(); //importanr or other post will fail
+ @unlink("/tmp/snort_blocked_{$save_date}.tar.gz");
+ @unlink("/tmp/snort_blocked/snort_block.pf");
+ } else
+ $savemsg = "An error occurred while createing archive";
} else
- echo 'Error no saved file.';
-
+ $savemsg = "No content on snort block list";
}
if ($_POST['save'])
{
-
/* no errors */
- if (!$input_errors)
- {
+ if (!$input_errors) {
$config['installedpackages']['snortglobal']['alertsblocks']['brefresh'] = $_POST['brefresh'] ? 'on' : 'off';
$config['installedpackages']['snortglobal']['alertsblocks']['blertnumber'] = $_POST['blertnumber'];
@@ -123,37 +123,18 @@ function get_snort_alert_ip_src($fileline)
$re2='((?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))(?![\\d])'; # IPv4 IP Address 1
if ($c=preg_match_all ("/".$re1.$re2."/is", $fileline, $matches4))
- $alert_ip_src = $matches4[1][0];
+ return $matches4[1][0];
- return $alert_ip_src;
+ return "";
}
function get_snort_alert_disc($fileline)
{
/* disc */
- if (preg_match("/\[\*\*\] (\[.*\]) (.*) (\[\*\*\])/", $fileline, $matches))
- $alert_disc = "$matches[2]";
-
- return $alert_disc;
-}
-
-/* build sec filters */
-function get_snort_block_ip($fileline)
-{
- /* ip */
- if (preg_match("/\[\d+\.\d+\.\d+\.\d+\]/", $fileline, $matches))
- $alert_block_ip = "$matches[0]";
-
- return $alert_block_ip;
-}
-
-function get_snort_block_disc($fileline)
-{
- /* disc */
- if (preg_match("/\]\s\[.+\]$/", $fileline, $matches))
- $alert_block_disc = "$matches[0]";
+ if (preg_match("/\[\*\*\]\s+(\[[0-9:]+\])\s+(.+)\s+(\[\*\*\])/", $fileline, $matches))
+ return "{$matches[2]}";
- return $alert_block_disc;
+ return "";
}
/* tell the user what settings they have */
@@ -278,100 +259,81 @@ if ($pconfig['brefresh'] == 'on')
<td class="listhdrr">IP</td>
<td class="listhdrr">Alert Description</td>
</tr>
- <?php
-
- /* set the arrays */
- exec('/sbin/pfctl -t snort2c -T show > /tmp/snort_block.cache');
- $blocked_ips_array = explode("\n", str_replace(' ', '', file_get_contents('/tmp/snort_block.cache')));
- if (!empty($blocked_ips_array)) {
- $input = array();
- $alert_ip_src_array = array();
- foreach (glob("/var/log/snort/*/alert") as $alert) {
+ <?php
+ /* set the arrays */
+ $blocked_ips = "";
+ exec('/sbin/pfctl -t snort2c -T show', $blocked_ips);
+ $blocked_ips_array = array();
+ if (!empty($blocked_ips)) {
+ $blocked_ips_array = array();
+ if (is_array($blocked_ips)) {
+ foreach ($blocked_ips as $blocked_ip) {
+ if (empty($blocked_ip))
+ continue;
+ $blocked_ips_array[] = trim($blocked_ip, " \n\t");
+ }
+ }
+ $input = array();
+ $alert_ip_src_array = array();
+ foreach (glob("/var/log/snort/*/alert") as $alert) {
+ if ($pconfig['snortalertlogtype'] == 'full')
$alerts_array = array_reverse(explode("\n\n", file_get_contents($alert)));
- if (!empty($alerts_array[0])) {
- /* build the list and compare blocks to alerts */
- $counter = 0;
- foreach($alerts_array as $fileline) {
-
- $counter++;
-
- $alert_ip_src = get_snort_alert_ip_src($fileline);
- $alert_ip_disc = get_snort_alert_disc($fileline);
- $alert_ip_src_array[] = get_snort_alert_ip_src($fileline);
-
- if (in_array("$alert_ip_src", $blocked_ips_array))
- $input[] = "[$alert_ip_src] " . "[$alert_ip_disc]\n";
- }
+ else
+ $alerts_array = array_reverse(file($alert));
+ /* build the list and compare blocks to alerts */
+ foreach($alerts_array as $counter => $fileline) {
+ if (empty($fileline))
+ continue;
+ $alert_ip_src = get_snort_alert_ip_src($fileline);
+ $alert_ip_disc = get_snort_alert_disc($fileline);
+ $alert_ip_src_array[] = $alert_ip_src;
+ if (!empty($blocked_ips_array) && in_array("$alert_ip_src", $blocked_ips_array)) {
+ if (!isset($input[$alert_ip_src]))
+ $input[$alert_ip_src] = "{$alert_ip_disc}\n";
}
}
-
- foreach($blocked_ips_array as $alert_block_ip) {
- if (is_ipaddr($alert_block_ip) && !in_array($alert_block_ip, $alert_ip_src_array))
- $input[] = "[$alert_block_ip] " . "[N\A]\n";
- }
-
- /* reduce double occurrences */
- $result = array_unique($input);
-
- /* buil final list, preg_match, buld html */
- $counter2 = 0;
- $logent = $bnentries;
-
- foreach($result as $fileline) {
- if($logent <= $counter2)
- continue;
-
- $counter2++;
-
- $alert_block_ip_str = get_snort_block_ip($fileline);
-
- if($alert_block_ip_str != '') {
- $alert_block_ip_match = array('[',']');
- $alert_block_ip = str_replace($alert_block_ip_match, '', "$alert_block_ip_str");
- } else
- $alert_block_ip = 'empty';
-
- $alert_block_disc_str = get_snort_block_disc($fileline);
-
- if($alert_block_disc_str != '') {
- $alert_block_disc_match = array('] [',']');
- $alert_block_disc = str_replace($alert_block_disc_match, '', "$alert_block_disc_str");
- }else
- $alert_block_disc = 'empty';
-
- /* use one echo to do the magic*/
- echo "<tr>
- <td align=\"center\" valign=\"top\"'><a href='snort_blocked.php?todelete=" . trim(urlencode($alert_block_ip)) . "'>
+ }
+
+ foreach($blocked_ips_array as $blocked_ip) {
+ if (is_ipaddr($blocked_ip) && !isset($input[$blocked_ip]))
+ $input[] = "N\A\n";
+ }
+
+ /* buil final list, preg_match, buld html */
+ $counter = 0;
+ foreach($input as $blocked_ip => $blocked_desc) {
+ if($counter > $bnentries)
+ break;
+ else
+ $counter++;
+
+ /* use one echo to do the magic*/
+ echo "<tr>
+ <td align=\"center\" valign=\"top\"'><a href='snort_blocked.php?todelete=" . trim(urlencode($blocked_ip)) . "'>
<img title=\"Delete\" border=\"0\" name='todelete' id='todelete' alt=\"Delete\" src=\"../themes/{$g['theme']}/images/icons/icon_x.gif\"></a></td>
- <td>&nbsp;{$counter2}</td>
- <td>&nbsp;{$alert_block_ip}</td>
- <td>&nbsp;{$alert_block_disc}</td>
+ <td>&nbsp;{$counter}</td>
+ <td>&nbsp;{$blocked_ip}</td>
+ <td>&nbsp;{$blocked_desc}</td>
</tr>\n";
- }
+ }
- echo '</table>' . "\n";
- echo "\n<tr><td colspan='3' align=\"center\" valign=\"top\">{$counter2} items listed.</td></tr>";
- } else
- echo "\n<tr><td colspan='3' align=\"center\" valign=\"top\"><br><strong>There are currently no items being blocked by snort.</strong></td></tr>";
+ echo '</table>' . "\n";
+ echo "\n<tr><td colspan='3' align=\"center\" valign=\"top\">{$counter} items listed.</td></tr>";
+ } else
+ echo "\n<tr><td colspan='3' align=\"center\" valign=\"top\"><br><strong>There are currently no items being blocked by snort.</strong></td></tr>";
- ?>
- </td>
- </tr>
- </table>
+ ?>
</td>
- </tr>
- </table>
- </div>
-
- <?php
-
- include("fend.inc");
-
-echo $snort_custom_rnd_box;
-
+ </tr>
+ </table>
+ </td>
+ </tr>
+</table>
+</div>
+<?php
+include("fend.inc");
?>
-
</body>
</html>