From 5c8a91ca5e5f05a19d9b63df81ad5e3de9d13031 Mon Sep 17 00:00:00 2001 From: Ermal Date: Mon, 9 Jul 2012 14:01:20 +0000 Subject: Make snort blocked [page more usable with input from http://forum.pfsense.org/index.php/topic,51168.msg274011.html#msg274011 --- config/snort/snort_blocked.php | 254 ++++++++++++++++++----------------------- 1 file changed, 108 insertions(+), 146 deletions(-) diff --git a/config/snort/snort_blocked.php b/config/snort/snort_blocked.php index 6994cb19..b3fb7aea 100644 --- a/config/snort/snort_blocked.php +++ b/config/snort/snort_blocked.php @@ -40,17 +40,19 @@ if (!is_array($config['installedpackages']['snortglobal']['alertsblocks'])) $pconfig['brefresh'] = $config['installedpackages']['snortglobal']['alertsblocks']['brefresh']; $pconfig['blertnumber'] = $config['installedpackages']['snortglobal']['alertsblocks']['blertnumber']; -if ($pconfig['blertnumber'] == '' || $pconfig['blertnumber'] == '0') +if (empty($pconfig['blertnumber'])) $bnentries = '500'; else $bnentries = $pconfig['blertnumber']; -if($_POST['todelete'] or $_GET['todelete']) { +if ($_POST['todelete'] || $_GET['todelete']) { + $ip = ""; if($_POST['todelete']) $ip = $_POST['todelete']; - if($_GET['todelete']) + else if($_GET['todelete']) $ip = $_GET['todelete']; - exec("/sbin/pfctl -t snort2c -T delete {$ip}"); + if (is_ipaddr($ip)) + exec("/sbin/pfctl -t snort2c -T delete {$ip}"); } if ($_POST['remove']) { @@ -62,48 +64,46 @@ if ($_POST['remove']) { /* TODO: build a file with block ip and disc */ if ($_POST['download']) { - - ob_start(); //important or other posts will fail - $save_date = exec('/bin/date "+%Y-%m-%d-%H-%M-%S"'); - $file_name = "snort_blocked_{$save_date}.tar.gz"; - exec('/bin/mkdir /tmp/snort_blocked'); - exec('/sbin/pfctl -t snort2c -T show > /tmp/snort_block.pf'); - - $blocked_ips_array_save = str_replace(' ', '', explode("\n", file_get_contents('/tmp/snort_block.pf'))); - - if ($blocked_ips_array_save[0] != '') { - /* build the list */ + $blocked_ips_array_save = ""; + exec('/sbin/pfctl -t snort2c -T show', $blocked_ips_array_save); + /* build the list */ + if (is_array($blocked_ips_array_save) && count($blocked_ips_array_save) > 0) { + ob_start(); //important or other posts will fail + $save_date = exec('/bin/date "+%Y-%m-%d-%H-%M-%S"'); + $file_name = "snort_blocked_{$save_date}.tar.gz"; + exec('/bin/mkdir -p /tmp/snort_blocked'); file_put_contents("/tmp/snort_blocked/snort_block.pf", ""); - foreach($blocked_ips_array_save as $counter => $fileline) + foreach($blocked_ips_array_save as $counter => $fileline) { + if (empty($fileline)) + continue; + $fileline = trim($fileline, " \n\t"); file_put_contents("/tmp/snort_blocked/snort_block.pf", "{$fileline}\n", FILE_APPEND); - } - - exec("/usr/bin/tar cfz /tmp/snort_blocked_{$save_date}.tar.gz /tmp/snort_blocked"); - - if(file_exists("/tmp/snort_blocked_{$save_date}.tar.gz")) { - header("Expires: Mon, 26 Jul 1997 05:00:00 GMT\n"); - header("Pragma: private"); // needed for IE - header("Cache-Control: private, must-revalidate"); // needed for IE - header('Content-type: application/force-download'); - header('Content-Transfer-Encoding: Binary'); - header("Content-length: " . filesize("/tmp/snort_blocked_{$save_date}.tar.gz")); - header("Content-disposition: attachment; filename = {$file_name}"); - readfile("$file"); - od_end_clean(); //importanr or other post will fail - @unlink("/tmp/snort_blocked_{$save_date}.tar.gz"); - @unlink("/tmp/snort_block.pf"); - @unlink("/tmp/snort_blocked/snort_block.pf"); + } + + exec("/usr/bin/tar cfz /tmp/snort_blocked_{$save_date}.tar.gz /tmp/snort_blocked"); + + if(file_exists("/tmp/{$file_name}")) { + header("Expires: Mon, 26 Jul 1997 05:00:00 GMT\n"); + header("Pragma: private"); // needed for IE + header("Cache-Control: private, must-revalidate"); // needed for IE + header('Content-type: application/force-download'); + header('Content-Transfer-Encoding: Binary'); + header("Content-length: " . filesize("/tmp/{$file_name}")); + header("Content-disposition: attachment; filename = {$file_name}"); + readfile("/tmp/{$file_name}"); + ob_end_clean(); //importanr or other post will fail + @unlink("/tmp/snort_blocked_{$save_date}.tar.gz"); + @unlink("/tmp/snort_blocked/snort_block.pf"); + } else + $savemsg = "An error occurred while createing archive"; } else - echo 'Error no saved file.'; - + $savemsg = "No content on snort block list"; } if ($_POST['save']) { - /* no errors */ - if (!$input_errors) - { + if (!$input_errors) { $config['installedpackages']['snortglobal']['alertsblocks']['brefresh'] = $_POST['brefresh'] ? 'on' : 'off'; $config['installedpackages']['snortglobal']['alertsblocks']['blertnumber'] = $_POST['blertnumber']; @@ -123,37 +123,18 @@ function get_snort_alert_ip_src($fileline) $re2='((?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))(?![\\d])'; # IPv4 IP Address 1 if ($c=preg_match_all ("/".$re1.$re2."/is", $fileline, $matches4)) - $alert_ip_src = $matches4[1][0]; + return $matches4[1][0]; - return $alert_ip_src; + return ""; } function get_snort_alert_disc($fileline) { /* disc */ - if (preg_match("/\[\*\*\] (\[.*\]) (.*) (\[\*\*\])/", $fileline, $matches)) - $alert_disc = "$matches[2]"; - - return $alert_disc; -} - -/* build sec filters */ -function get_snort_block_ip($fileline) -{ - /* ip */ - if (preg_match("/\[\d+\.\d+\.\d+\.\d+\]/", $fileline, $matches)) - $alert_block_ip = "$matches[0]"; - - return $alert_block_ip; -} - -function get_snort_block_disc($fileline) -{ - /* disc */ - if (preg_match("/\]\s\[.+\]$/", $fileline, $matches)) - $alert_block_disc = "$matches[0]"; + if (preg_match("/\[\*\*\]\s+(\[[0-9:]+\])\s+(.+)\s+(\[\*\*\])/", $fileline, $matches)) + return "{$matches[2]}"; - return $alert_block_disc; + return ""; } /* tell the user what settings they have */ @@ -278,100 +259,81 @@ if ($pconfig['brefresh'] == 'on') IP Alert Description - /tmp/snort_block.cache'); - $blocked_ips_array = explode("\n", str_replace(' ', '', file_get_contents('/tmp/snort_block.cache'))); - if (!empty($blocked_ips_array)) { - $input = array(); - $alert_ip_src_array = array(); - foreach (glob("/var/log/snort/*/alert") as $alert) { + $fileline) { + if (empty($fileline)) + continue; + $alert_ip_src = get_snort_alert_ip_src($fileline); + $alert_ip_disc = get_snort_alert_disc($fileline); + $alert_ip_src_array[] = $alert_ip_src; + if (!empty($blocked_ips_array) && in_array("$alert_ip_src", $blocked_ips_array)) { + if (!isset($input[$alert_ip_src])) + $input[$alert_ip_src] = "{$alert_ip_disc}\n"; } } - - foreach($blocked_ips_array as $alert_block_ip) { - if (is_ipaddr($alert_block_ip) && !in_array($alert_block_ip, $alert_ip_src_array)) - $input[] = "[$alert_block_ip] " . "[N\A]\n"; - } - - /* reduce double occurrences */ - $result = array_unique($input); - - /* buil final list, preg_match, buld html */ - $counter2 = 0; - $logent = $bnentries; - - foreach($result as $fileline) { - if($logent <= $counter2) - continue; - - $counter2++; - - $alert_block_ip_str = get_snort_block_ip($fileline); - - if($alert_block_ip_str != '') { - $alert_block_ip_match = array('[',']'); - $alert_block_ip = str_replace($alert_block_ip_match, '', "$alert_block_ip_str"); - } else - $alert_block_ip = 'empty'; - - $alert_block_disc_str = get_snort_block_disc($fileline); - - if($alert_block_disc_str != '') { - $alert_block_disc_match = array('] [',']'); - $alert_block_disc = str_replace($alert_block_disc_match, '', "$alert_block_disc_str"); - }else - $alert_block_disc = 'empty'; - - /* use one echo to do the magic*/ - echo " - + } + + foreach($blocked_ips_array as $blocked_ip) { + if (is_ipaddr($blocked_ip) && !isset($input[$blocked_ip])) + $input[] = "N\A\n"; + } + + /* buil final list, preg_match, buld html */ + $counter = 0; + foreach($input as $blocked_ip => $blocked_desc) { + if($counter > $bnentries) + break; + else + $counter++; + + /* use one echo to do the magic*/ + echo " + \"Delete\" -  {$counter2} -  {$alert_block_ip} -  {$alert_block_disc} +  {$counter} +  {$blocked_ip} +  {$blocked_desc} \n"; - } + } - echo '' . "\n"; - echo "\n{$counter2} items listed."; - } else - echo "\n
There are currently no items being blocked by snort."; + echo '' . "\n"; + echo "\n{$counter} items listed."; + } else + echo "\n
There are currently no items being blocked by snort."; - ?> - - - + ?> - - - - - + + + + + + - -- cgit v1.2.3