From 4a1c359d46f21af9cb7871791614ca15a2f3da9d Mon Sep 17 00:00:00 2001 From: BBcan177 Date: Sun, 22 Feb 2015 19:31:13 -0500 Subject: pfBlockerNG - Alerts Tab Filter Regex 1) Add Filter Regex to Alerts Tab (Based on Firewall Diag Logs & Snort pkg) 2) Change Suppression icon to use "Green +" Icon --- config/pfblockerng/pfblockerng_alerts.php | 149 ++++++++++++++++++++++++++++-- 1 file changed, 139 insertions(+), 10 deletions(-) diff --git a/config/pfblockerng/pfblockerng_alerts.php b/config/pfblockerng/pfblockerng_alerts.php index 0164a4d2..e092b25c 100644 --- a/config/pfblockerng/pfblockerng_alerts.php +++ b/config/pfblockerng/pfblockerng_alerts.php @@ -69,6 +69,9 @@ $filter_logfile = "{$g['varlog_path']}/filter.log"; $pathgeoipdat = "/usr/pbi/pfblockerng-" . php_uname("m") . "/share/GeoIP/GeoIP.dat"; $pathgeoipdat6 = "/usr/pbi/pfblockerng-" . php_uname("m") . "/share/GeoIP/GeoIPv6.dat"; +// Define Alerts Log filter Rollup window variable. (Alert Filtering Code adapted from B.Meeks - Snort Package) +$pfb['filterlogentries'] = FALSE; + // Emerging Threats IQRisk Header Name Reference $pfb['et_header'] = TRUE; $et_header = $config['installedpackages']['pfblockerngreputation']['config'][0]['et_header']; @@ -127,6 +130,54 @@ if (is_array($config['installedpackages']['pfblockerngglobal'])) { $pfbmatchcnt = $config['installedpackages']['pfblockerngglobal']['pfbmatchcnt']; } + +function pfb_match_filter_field($flent, $fields) { + foreach ($fields as $key => $field) { + if ($field == null) + continue; + if ((strpos($field, '!') === 0)) { + $field = substr($field, 1); + $field_regex = str_replace('/', '\/', str_replace('\/', '/', $field)); + if (@preg_match("/{$field_regex}/i", $flent[$key])) + return false; + } + else { + $field_regex = str_replace('/', '\/', str_replace('\/', '/', $field)); + if (!@preg_match("/{$field_regex}/i", $flent[$key])) + return false; + } + } + return true; +} + + +if ($_POST['filterlogentries_submit']) { + // Set flag for filtering alert entries + $pfb['filterlogentries'] = TRUE; + + // Note the order of these fields must match the order decoded from the alerts log + $filterfieldsarray = array(); + $filterfieldsarray[0] = $_POST['filterlogentries_rule'] ? $_POST['filterlogentries_rule'] : null; + $filterfieldsarray[2] = $_POST['filterlogentries_int'] ? $_POST['filterlogentries_int'] : null; + $filterfieldsarray[6] = strtolower($_POST['filterlogentries_proto']) ? $_POST['filterlogentries_proto'] : null; + + // Remove any zero-length spaces added to the IP address that could creep in from a copy-paste operation + $filterfieldsarray[7] = $_POST['filterlogentries_srcip'] ? str_replace("\xE2\x80\x8B", "", $_POST['filterlogentries_srcip']) : null; + $filterfieldsarray[8] = $_POST['filterlogentries_dstip'] ? str_replace("\xE2\x80\x8B", "", $_POST['filterlogentries_dstip']) : null; + + $filterfieldsarray[9] = $_POST['filterlogentries_srcport'] ? $_POST['filterlogentries_srcport'] : null; + $filterfieldsarray[10] = $_POST['filterlogentries_dstport'] ? $_POST['filterlogentries_dstport'] : null; + $filterfieldsarray[90] = $_POST['filterlogentries_dnsbl'] ? $_POST['filterlogentries_dnsbl'] : null; + $filterfieldsarray[99] = $_POST['filterlogentries_date'] ? $_POST['filterlogentries_date'] : null; +} + + +if ($_POST['filterlogentries_clear']) { + $pfb['filterlogentries'] = TRUE; + $filterfieldsarray = array(); +} + + // Collect pfBlockerNG Firewall Rules if (!empty($results)) { foreach ($results as $result) { @@ -298,7 +349,7 @@ function check_lan_dest($lan_ip,$lan_mask,$dest_ip,$dest_mask="32") { // Parse Filter log for pfBlockerNG Alerts function conv_log_filter_lite($logfile, $nentries, $tail, $pfbdenycnt, $pfbpermitcnt, $pfbmatchcnt) { - global $rule_list; + global $pfb, $rule_list, $filterfieldsarray; $fields_array = array(); $logarr = ""; $denycnt = 0; @@ -360,8 +411,13 @@ function conv_log_filter_lite($logfile, $nentries, $tail, $pfbdenycnt, $pfbpermi if (($pfbalert[3] . $pfbalert[8] . $pfbalert[10]) == $previous_dstip || ($pfbalert[3] . $pfbalert[7] . $pfbalert[9]) == $previous_srcip) continue; - $pfbalert[2] = convert_real_interface_to_friendly_descr($rule_data[4]); // Friendly Interface Name - $pfbalert[6] = strtoupper($pfbalert[6]); + $pfbalert[2] = convert_real_interface_to_friendly_descr($rule_data[4]); // Friendly Interface Name + $pfbalert[6] = str_replace("TCP", "TCP-", strtoupper($pfbalert[6]), $pfbalert[6]) . $pfbalert[11]; // Protocol Flags + + // If Alerts Filtering is selected, process Filters as required. + if ($pfb['filterlogentries'] && !pfb_match_filter_field($pfbalert, $filterfieldsarray)) { + continue; + } if ($pfbalert[3] == "block") { if ($denycnt < $pfbdenycnt) { @@ -445,7 +501,7 @@ if ($savemsg) {
- +
+ + + + "> + + + + "> + + + $pfb['denydir'] . " " . $pfb['nativedir'], "Permit" => $pfb['permitdir'], "Match" => $pfb['matchdir']) as $type => $pfbfolder ): switch($type) { @@ -632,8 +753,6 @@ if (!empty($fields_array[$type]) && !empty($rule_list)) { $rulenum = $fields[0]; if ($counter < $pfbentries) { - $proto = str_replace("TCP", "TCP-", $fields[6]) . $fields[11]; - // Cleanup Port Output if ($fields[6] == "ICMP" || $fields[6] == "ICMPV6") { $srcport = ""; @@ -660,7 +779,7 @@ if (!empty($fields_array[$type]) && !empty($rule_list)) { if ($pfb_query != "Country" && $rtype == "block" && $pfb['supp'] == "on") { $supp_ip .= ""; } @@ -683,7 +802,7 @@ if (!empty($fields_array[$type]) && !empty($rule_list)) { if ($pfb_query != "Country" && $rtype == "block" && $pfb['supp'] == "on") { $supp_ip .= ""; } @@ -757,7 +876,7 @@ if (!empty($fields_array[$type]) && !empty($rule_list)) { } } elseif (is_ipaddrv6($host) && $pfb_query != "Country") { - $pfb_query = exec("/usr/bin/grep -Hm1 '{$host}' {$pfbfolder} | sed -e 's/^.*[a-zA-Z]\///' -e 's/\.txt:/ /' | grep -v 'pfB\_'"); + $pfb_query = exec("/usr/bin/grep -Hm1 {$host} {$pfbfolder} | sed -e 's/^.*[a-zA-Z]\///' -e 's/\.txt:/ /' | grep -v 'pfB\_'"); } // Default to "No Match" if not found. @@ -809,7 +928,7 @@ if (!empty($fields_array[$type]) && !empty($rule_list)) { - + @@ -872,6 +991,16 @@ if ( autoresolve == "on" ) { } } +function enable_showFilter() { + document.getElementById("filter_enable_row").style.display="none"; + document.getElementById("filter_options_row").style.display="table-row"; +} + +function enable_hideFilter() { + document.getElementById("filter_enable_row").style.display="table-row"; + document.getElementById("filter_options_row").style.display="none"; +} + //]]> -- cgit v1.2.3
    @@ -473,6 +529,71 @@ if ($savemsg) { ', '');?>
+ " onclick="enable_showFilter();" /> +    +
+ + + + + + + + + + + + + + + + + +
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ +
', '');?>   +

+
+
" title="" /> +    " title="" /> +    " onclick="enable_hideFilter();" title="" />
+
+
{$fields[99]} {$fields[2]} {$rule}{$proto}{$fields[6]} {$src_icons}{$fields[97]}{$srcport}
{$hostname['src']}
{$dst_icons}{$fields[98]}{$dstport}
{$hostname['dst']}
{$country}