From 4a1c359d46f21af9cb7871791614ca15a2f3da9d Mon Sep 17 00:00:00 2001
From: BBcan177 <bbcan177@gmail.com>
Date: Sun, 22 Feb 2015 19:31:13 -0500
Subject: pfBlockerNG - Alerts Tab Filter Regex

1) Add Filter Regex to Alerts Tab (Based on Firewall Diag Logs & Snort
pkg)
2) Change Suppression icon to use "Green +" Icon
---
 config/pfblockerng/pfblockerng_alerts.php | 149 ++++++++++++++++++++++++++++--
 1 file changed, 139 insertions(+), 10 deletions(-)

diff --git a/config/pfblockerng/pfblockerng_alerts.php b/config/pfblockerng/pfblockerng_alerts.php
index 0164a4d2..e092b25c 100644
--- a/config/pfblockerng/pfblockerng_alerts.php
+++ b/config/pfblockerng/pfblockerng_alerts.php
@@ -69,6 +69,9 @@ $filter_logfile = "{$g['varlog_path']}/filter.log";
 $pathgeoipdat	= "/usr/pbi/pfblockerng-" . php_uname("m") . "/share/GeoIP/GeoIP.dat";
 $pathgeoipdat6	= "/usr/pbi/pfblockerng-" . php_uname("m") . "/share/GeoIP/GeoIPv6.dat";
 
+// Define Alerts Log filter Rollup window variable. (Alert Filtering Code adapted from B.Meeks - Snort Package)
+$pfb['filterlogentries'] = FALSE;
+
 // Emerging Threats IQRisk Header Name Reference
 $pfb['et_header'] = TRUE;
 $et_header = $config['installedpackages']['pfblockerngreputation']['config'][0]['et_header'];
@@ -127,6 +130,54 @@ if (is_array($config['installedpackages']['pfblockerngglobal'])) {
 	$pfbmatchcnt	= $config['installedpackages']['pfblockerngglobal']['pfbmatchcnt'];
 }
 
+
+function pfb_match_filter_field($flent, $fields) {
+	foreach ($fields as $key => $field) {
+		if ($field == null)
+			continue;
+		if ((strpos($field, '!') === 0)) {
+			$field = substr($field, 1);
+			$field_regex = str_replace('/', '\/', str_replace('\/', '/', $field));
+			if (@preg_match("/{$field_regex}/i", $flent[$key]))
+				return false;
+		}
+		else {
+			$field_regex = str_replace('/', '\/', str_replace('\/', '/', $field));
+			if (!@preg_match("/{$field_regex}/i", $flent[$key]))
+				return false;
+		}
+	}
+	return true;
+}
+
+
+if ($_POST['filterlogentries_submit']) {
+	// Set flag for filtering alert entries
+	$pfb['filterlogentries'] = TRUE;
+
+	// Note the order of these fields must match the order decoded from the alerts log
+	$filterfieldsarray = array();
+	$filterfieldsarray[0] = $_POST['filterlogentries_rule'] ? $_POST['filterlogentries_rule'] : null;
+	$filterfieldsarray[2] = $_POST['filterlogentries_int'] ? $_POST['filterlogentries_int'] : null;
+	$filterfieldsarray[6] = strtolower($_POST['filterlogentries_proto']) ? $_POST['filterlogentries_proto'] : null;
+
+	// Remove any zero-length spaces added to the IP address that could creep in from a copy-paste operation
+	$filterfieldsarray[7] = $_POST['filterlogentries_srcip'] ? str_replace("\xE2\x80\x8B", "", $_POST['filterlogentries_srcip']) : null;
+	$filterfieldsarray[8] = $_POST['filterlogentries_dstip'] ? str_replace("\xE2\x80\x8B", "", $_POST['filterlogentries_dstip']) : null;
+
+	$filterfieldsarray[9] = $_POST['filterlogentries_srcport'] ? $_POST['filterlogentries_srcport'] : null;
+	$filterfieldsarray[10] = $_POST['filterlogentries_dstport'] ? $_POST['filterlogentries_dstport'] : null;
+	$filterfieldsarray[90] = $_POST['filterlogentries_dnsbl'] ? $_POST['filterlogentries_dnsbl'] : null;
+	$filterfieldsarray[99] = $_POST['filterlogentries_date'] ? $_POST['filterlogentries_date'] : null;
+}
+
+
+if ($_POST['filterlogentries_clear']) {
+	$pfb['filterlogentries'] = TRUE;
+	$filterfieldsarray = array();
+}
+
+
 // Collect pfBlockerNG Firewall Rules
 if (!empty($results)) {
 	foreach ($results as $result) {
@@ -298,7 +349,7 @@ function check_lan_dest($lan_ip,$lan_mask,$dest_ip,$dest_mask="32") {
 
 // Parse Filter log for pfBlockerNG Alerts
 function conv_log_filter_lite($logfile, $nentries, $tail, $pfbdenycnt, $pfbpermitcnt, $pfbmatchcnt) {
-	global $rule_list;
+	global $pfb, $rule_list, $filterfieldsarray;
 	$fields_array	= array();
 	$logarr		= "";
 	$denycnt	= 0;
@@ -360,8 +411,13 @@ function conv_log_filter_lite($logfile, $nentries, $tail, $pfbdenycnt, $pfbpermi
 			if (($pfbalert[3] . $pfbalert[8] . $pfbalert[10]) == $previous_dstip || ($pfbalert[3] . $pfbalert[7] . $pfbalert[9]) == $previous_srcip)
 				continue;
 
-			$pfbalert[2] = convert_real_interface_to_friendly_descr($rule_data[4]); // Friendly Interface Name
-			$pfbalert[6] = strtoupper($pfbalert[6]);
+			$pfbalert[2] = convert_real_interface_to_friendly_descr($rule_data[4]);					// Friendly Interface Name
+			$pfbalert[6] = str_replace("TCP", "TCP-", strtoupper($pfbalert[6]), $pfbalert[6]) . $pfbalert[11];	// Protocol Flags
+
+			// If Alerts Filtering is selected, process Filters as required.
+			if ($pfb['filterlogentries'] && !pfb_match_filter_field($pfbalert, $filterfieldsarray)) {
+				continue;
+			}
 
 			if ($pfbalert[3] == "block") {
 				if ($denycnt < $pfbdenycnt) {
@@ -445,7 +501,7 @@ if ($savemsg) {
 	</tr>
 	<tr>
 	<td><div id="mainarea">
-		<table id="maintable" class="tabcont" width="100%" border="0" cellspacing="0" cellpadding="6">
+		<table id="maintable" class="tabcont" width="100%" border="0" cellspacing="0" cellpadding="4">
 			<tr>
 				<td colspan="3" class="vncell" align="left"><?php echo gettext("LINKS :"); ?>&nbsp;
 				<a href='/firewall_aliases.php' target="_blank"><?php echo gettext("Firewall Alias"); ?></a>&nbsp;
@@ -473,6 +529,71 @@ if ($savemsg) {
 				<?php printf(gettext("Currently Suppressing &nbsp; %s$pfbsupp_cnt%s &nbsp; Hosts."), '<strong>', '</strong>');?>
 			</td>
 			</tr>
+			<tr>
+				<td colspan="3" class="listtopic"><?php echo gettext("Alert Log View Filter"); ?></td>
+			</tr>
+			<tr id="filter_enable_row" style="display:<?php if (!$pfb['filterlogentries']) {echo "table-row;";} else {echo "none;";} ?>">
+				<td width="10%" class="vncell"><?php echo gettext('Filter Options'); ?></td>
+				<td width="90%" class="vtable">
+					<input name="show_filter" id="show_filter" type="button" class="formbtns" value="<?=gettext("Show Filter");?>" onclick="enable_showFilter();" />
+					&nbsp;&nbsp;<?=gettext("Click to display advanced filtering options dialog");?>
+				</td>
+			</tr>
+			<tr id="filter_options_row" style="display:<?php if (!$pfb['filterlogentries']) {echo "none;";} else {echo "table-row;";} ?>">
+				<td colspan="2">
+					<table width="100%" border="0" cellspacing="0" cellpadding="1" summary="action">
+					<tr>
+						<td valign="top">
+							<div align="center"><?=gettext("Date");?></div>
+							<div align="center"><input id="filterlogentries_date" name="filterlogentries_date" class="formfld search" type="text" size="15" value="<?= $filterfieldsarray[99] ?>" /></div>
+						</td>
+						<td valign="top">
+							<div align="center"><?=gettext("Interface");?></div>
+							<div align="center"><input id="filterlogentries_int" name="filterlogentries_int" class="formfld search" type="text" size="15" value="<?= $filterfieldsarray[2] ?>" /></div>
+						</td>
+						<td valign="top">
+							<div align="center"><?=gettext("Rule Number Only");?></div>
+							<div align="center"><input id="filterlogentries_rule" name="filterlogentries_rule" class="formfld search" type="text" size="15" value="<?= $filterfieldsarray[0] ?>" /></div>
+						</td>
+						<td valign="top">
+							<div align="center"><?=gettext("Protocol");?></div>
+							<div align="center"><input id="filterlogentries_proto" name="filterlogentries_proto" class="formfld search" type="text" size="15" value="<?= $filterfieldsarray[6] ?>" /></div>
+						</td>
+					</tr>
+					<tr>
+						<td valign="top">
+							<div align="center"><?=gettext("Source IP Address");?></div>
+							<div align="center"><input id="filterlogentries_srcip" name="filterlogentries_srcip" class="formfld search" type="text" size="28" value="<?= $filterfieldsarray[7] ?>" /></div>
+						</td>
+						<td valign="top">
+							<div align="center"><?=gettext("Source Port");?></div>
+							<div align="center"><input id="filterlogentries_srcport" name="filterlogentries_srcport" class="formfld search" type="text" size="5" value="<?= $filterfieldsarray[9] ?>" /></div>
+						</td>
+						<td valign="top">
+							<div align="center"><?=gettext("Destination IP Address");?></div>
+							<div align="center"><input id="filterlogentries_dstip" name="filterlogentries_dstip" class="formfld search" type="text" size="28" value="<?= $filterfieldsarray[8] ?>" /></div>
+						</td>
+						<td valign="top">
+							<div align="center"><?=gettext("Destination Port");?></div>
+							<div align="center"><input id="filterlogentries_dstport" name="filterlogentries_dstport" class="formfld search" type="text" size="5" value="<?= $filterfieldsarray[10] ?>" /></div>
+						</td>
+					</tr>
+						<td colspan="5" style="vertical-align:bottom">
+
+							<br /><?printf(gettext('Regex Style Matching Only! %1$s Regular Expression Help link%2$s.'), '<a target="_blank" href="http://www.php.net/manual/en/book.pcre.php">', '</a>');?>&nbsp;&nbsp <?=gettext("Precede with exclamation (!) as first character to exclude match.) ");?>
+							<br /><?printf(gettext("Example: ( ^80$ - Match Port 80, ^80$|^8080$ - Match both port 80 & 8080 ) "));?><br />
+					</tr>
+					<tr>
+						<td colspan="1" style="vertical-align:bottom">
+							<div align="left"><input id="filterlogentries_submit" name="filterlogentries_submit" type="submit" class="formbtns" value="<?=gettext("Apply Filter");?>" title="<?=gettext("Apply filter"); ?>" />
+							&nbsp;&nbsp;&nbsp;<input id="filterlogentries_clear" name="filterlogentries_clear" type="submit" class="formbtns" value="<?=gettext("Clear");?>" title="<?=gettext("Remove filter");?>" />
+							&nbsp;&nbsp;&nbsp;<input id="filterlogentries_hide" name="filterlogentries_hide" type="button" class="formbtns" value="<?=gettext("Hide");?>" onclick="enable_hideFilter();" title="<?=gettext("Hide filter options");?>" /></div>
+						</td>
+					</tr>
+					</table>
+				</td>
+			</tr>
+
 <!--Create Three Output Windows 'Deny', 'Permit' and 'Match'-->
 <?php foreach (array ("Deny" => $pfb['denydir'] . " " . $pfb['nativedir'], "Permit" => $pfb['permitdir'], "Match" => $pfb['matchdir']) as $type => $pfbfolder ):
 	switch($type) {
@@ -632,8 +753,6 @@ if (!empty($fields_array[$type]) && !empty($rule_list)) {
 
 		$rulenum = $fields[0];
 		if ($counter < $pfbentries) {
-			$proto = str_replace("TCP", "TCP-", $fields[6]) . $fields[11];
-
 			// Cleanup Port Output
 			if ($fields[6] == "ICMP" || $fields[6] == "ICMPV6") {
 				$srcport = "";
@@ -660,7 +779,7 @@ if (!empty($fields_array[$type]) && !empty($rule_list)) {
 
 				if ($pfb_query != "Country" && $rtype == "block" && $pfb['supp'] == "on") {
 					$supp_ip .= "<input type='image' name='addsuppress[]' onclick=\"hostruleid('{$host}','{$rule_list[$rulenum]['name']}');\" ";
-					$supp_ip .= "src=\"../themes/{$g['theme']}/images/icons/icon_plus.gif\" title=\"";
+					$supp_ip .= "src=\"../themes/{$g['theme']}/images/icons/icon_pass_add.gif\" title=\"";
 					$supp_ip .= gettext($supp_ip_txt) . "\" border=\"0\" width='11' height='11'/>";
 				}
 
@@ -683,7 +802,7 @@ if (!empty($fields_array[$type]) && !empty($rule_list)) {
 
 				if ($pfb_query != "Country" && $rtype == "block" && $pfb['supp'] == "on") {
 					$supp_ip .= "<input type='image' name='addsuppress[]' onclick=\"hostruleid('{$host}','{$rule_list[$rulenum]['name']}');\" ";
-					$supp_ip .= "src=\"../themes/{$g['theme']}/images/icons/icon_plus.gif\" title=\"";
+					$supp_ip .= "src=\"../themes/{$g['theme']}/images/icons/icon_pass_add.gif\" title=\"";
 					$supp_ip .= gettext($supp_ip_txt) . "\" border=\"0\" width='11' height='11'/>";
 				}
 
@@ -757,7 +876,7 @@ if (!empty($fields_array[$type]) && !empty($rule_list)) {
 				}
 			}
 			elseif (is_ipaddrv6($host) && $pfb_query != "Country") {
-				$pfb_query = exec("/usr/bin/grep -Hm1 '{$host}' {$pfbfolder} | sed -e 's/^.*[a-zA-Z]\///' -e 's/\.txt:/ /' | grep -v 'pfB\_'");
+				$pfb_query = exec("/usr/bin/grep -Hm1 {$host} {$pfbfolder} | sed -e 's/^.*[a-zA-Z]\///' -e 's/\.txt:/ /' | grep -v 'pfB\_'");
 			}
 
 			// Default to "No Match" if not found.
@@ -809,7 +928,7 @@ if (!empty($fields_array[$type]) && !empty($rule_list)) {
 				<td class='listMRr' align='center'>{$fields[99]}</td>
 				<td class='listMRr' align='center'>{$fields[2]}</td>
 				<td class='listMRr' align='center' title='The pfBlockerNG Rule that Blocked this Host.'>{$rule}</td>
-				<td class='listMRr' align='center'>{$proto}</td>
+				<td class='listMRr' align='center'>{$fields[6]}</td>
 				<td class='listMRr' align='center' style='sorttable_customkey:{$fields[7]};' sorttable_customkey='{$fields[7]}'>{$src_icons}{$fields[97]}{$srcport}<br /><small>{$hostname['src']}</small></td>
 				<td class='listMRr' align='center' style='sorttable_customkey:{$fields[8]};' sorttable_customkey='{$fields[8]}'>{$dst_icons}{$fields[98]}{$dstport}<br /><small>{$hostname['dst']}</small></td>
 				<td class='listMRr' align='center'>{$country}</td>
@@ -872,6 +991,16 @@ if ( autoresolve == "on" ) {
 	}
 }
 
+function enable_showFilter() {
+	document.getElementById("filter_enable_row").style.display="none";
+	document.getElementById("filter_options_row").style.display="table-row";
+}
+
+function enable_hideFilter() {
+	document.getElementById("filter_enable_row").style.display="table-row";
+	document.getElementById("filter_options_row").style.display="none";
+}
+
 //]]>
 </script>
 <?php include("fend.inc"); ?>
-- 
cgit v1.2.3