From 844fbe052e814a4662dedcf3a09fbfcdb814801a Mon Sep 17 00:00:00 2001
From: robiscool <robrob2626@yahoo.com>
Date: Wed, 31 Mar 2010 19:02:32 -0700
Subject: snort-dev to snort, snort to snort-old, Release

---
 config/snort/snort_blocked.php | 453 ++++++++++++++++++++++++++++++++---------
 1 file changed, 362 insertions(+), 91 deletions(-)

(limited to 'config/snort/snort_blocked.php')

diff --git a/config/snort/snort_blocked.php b/config/snort/snort_blocked.php
index ff158853..293679d9 100644
--- a/config/snort/snort_blocked.php
+++ b/config/snort/snort_blocked.php
@@ -5,6 +5,9 @@
 	Copyright (C) 2006 Scott Ullrich
 	All rights reserved.
 
+	Modified for the Pfsense snort package v. 1.8+
+	Copyright (C) 2009 Robert Zelaya Sr. Developer
+	
 	Redistribution and use in source and binary forms, with or without
 	modification, are permitted provided that the following conditions are met:
 
@@ -27,8 +30,19 @@
 	POSSIBILITY OF SUCH DAMAGE.
 */
 
-require("guiconfig.inc");
-require("/usr/local/pkg/snort.inc");
+require_once("globals.inc");
+require_once("guiconfig.inc");
+require_once("/usr/local/pkg/snort/snort.inc");
+
+$pconfig['brefresh'] = $config['installedpackages']['snortglobal']['alertsblocks']['brefresh'];
+$pconfig['blertnumber'] = $config['installedpackages']['snortglobal']['alertsblocks']['blertnumber'];
+
+if ($pconfig['blertnumber'] == '' || $pconfig['blertnumber'] == '0')
+{
+	$bnentries = '500';
+}else{
+	$bnentries = $pconfig['blertnumber'];
+}
 
 if($_POST['todelete'] or $_GET['todelete']) {
 	if($_POST['todelete'])
@@ -38,100 +52,147 @@ if($_POST['todelete'] or $_GET['todelete']) {
 	exec("/sbin/pfctl -t snort2c -T delete {$ip}");
 }
 
-$pgtitle = "Snort: Snort Blocked";
-include("head.inc");
+if ($_POST['remove']) {
 
-?>
+exec("/sbin/pfctl -t snort2c -T flush");
+sleep(1);
+header("Location: /snort/snort_blocked.php");
 
-<body link="#000000" vlink="#000000" alink="#000000">
-<?php include("fbegin.inc"); ?>
+}
 
-<?php
-if(!$pgtitle_output)
-	echo "<p class=\"pgtitle\"><?=$pgtitle?></p>";
-?>
+/* TODO: build a file with block ip and disc */
+if ($_POST['download'])
+{
 
-<form action="snort_rulesets.php" method="post" name="iform" id="iform">
-<script src="/row_toggle.js" type="text/javascript"></script>
-<script src="/javascript/sorttable.js" type="text/javascript"></script>
-<?php if ($savemsg) print_info_box($savemsg); ?>
-<table width="99%" border="0" cellpadding="0" cellspacing="0">
-   <tr>
-   		<td>
-<?php
-	$tab_array = array();
-	$tab_array[] = array(gettext("Settings"), false, "/pkg_edit.php?xml=snort.xml&id=0");
-	$tab_array[] = array(gettext("Update Rules"), false, "/snort_download_rules.php");
-	$tab_array[] = array(gettext("Categories"), false, "/snort_rulesets.php");
-	$tab_array[] = array(gettext("Rules"), false, "/snort_rules.php");
-	$tab_array[] = array(gettext("Servers"), false, "/pkg_edit.php?xml=snort_define_servers.xml&amp;id=0");
-	$tab_array[] = array(gettext("Blocked"), true, "/snort_blocked.php");
-	$tab_array[] = array(gettext("Whitelist"), false, "/pkg.php?xml=snort_whitelist.xml");
-	$tab_array[] = array(gettext("Threshold"), false, "/pkg.php?xml=snort_threshold.xml");
-	$tab_array[] = array(gettext("Alerts"), false, "/snort_alerts.php");
-	$tab_array[] = array(gettext("Advanced"), false, "/pkg_edit.php?xml=snort_advanced.xml&id=0");
-	display_top_tabs($tab_array);
-?>
-  		</td>
-  </tr>
-  <tr>
-    <td>
-		<div id="mainarea">
-			<table id="maintable" class="tabcont" width="100%" border="0" cellpadding="0" cellspacing="0">
-				<tr>
-					<td>
-						<table id="sortabletable1" class="sortable" width="100%" border="0" cellpadding="0" cellspacing="0">
-						    <tr id="frheader">
-								<td width="5%" class="listhdrr">Remove</td>
-								<td class="listhdrr">IP</td>
-								<td class="listhdrr">Alert Description</td>
-							</tr>
-<?php
+	ob_start(); //important or other posts will fail
+	$save_date = exec('/bin/date "+%Y-%m-%d-%H-%M-%S"');
+	$file_name = "snort_blocked_{$save_date}.tar.gz";
+	exec('/bin/mkdir /tmp/snort_blocked');	
+	exec('/sbin/pfctl -t snort2c -T show > /tmp/snort_block.pf');
+	
+	$blocked_ips_array_save = str_replace('   ', '', array_filter(explode("\n", file_get_contents('/tmp/snort_block.pf'))));
+	
+	if ($blocked_ips_array_save[0] != '')
+	{
 
-	$associatealertip = $config['installedpackages']['snort']['config'][0]['associatealertip'];
-	$ips = `/sbin/pfctl -t snort2c -T show`;
-	$ips_array = split("\n", $ips);
-	$counter = 0;
-	foreach($ips_array as $ip) {
-		if(!$ip)
-			continue;
-		$ww_ip = str_replace(" ", "", $ip);
-		$counter++;
-		if($associatealertip)
-			$alert_description = get_snort_alert($ww_ip);
-		else
-			$alert_description = "";
-		echo "\n<tr>";
-		echo "\n<td align=\"center\" valign=\"top\"'><a href='snort_blocked.php?todelete=" . trim(urlencode($ww_ip)) . "'>";
-		echo "\n<img title=\"Delete\" border=\"0\" name='todelete' id='todelete' alt=\"Delete\" src=\"./themes/{$g['theme']}/images/icons/icon_x.gif\"></a></td>";
-		echo "\n<td>&nbsp;{$ww_ip}</td>";
-		echo "\n<td>&nbsp;{$alert_description}<!-- |{$ww_ip}| get_snort_alert($ww_ip); --></td>";
-		echo "\n</tr>";
+		/* build the list */
+		$counter = 0;
+		foreach($blocked_ips_array_save as $fileline3)
+		{
+
+			$counter++;
+
+			exec("/bin/echo  $fileline3 >> /tmp/snort_blocked/snort_block.pf");	
+	
+		}
 	}
-	echo "\n<tr><td colspan='3'>&nbsp;</td></tr>";
-	if($counter < 1)
-		echo "\n<tr><td colspan='3' align=\"center\" valign=\"top\">There are currently no items being blocked by snort.</td></tr>";
-	else
-		echo "\n<tr><td colspan='3' align=\"center\" valign=\"top\">{$counter} items listed.</td></tr>";
 
-?>
+	exec("/usr/bin/tar cfz /tmp/snort_blocked_{$save_date}.tar.gz /tmp/snort_blocked");
 
-						</table>
-		    		</td>
-		  		</tr>
-			</table>
-		</div>
-	</td>
-  </tr>
-</table>
+	if(file_exists("/tmp/snort_blocked_{$save_date}.tar.gz"))
+	{
+		$file = "/tmp/snort_blocked_{$save_date}.tar.gz";
+		header("Expires: Mon, 26 Jul 1997 05:00:00 GMT\n");
+		header("Pragma: private"); // needed for IE
+		header("Cache-Control: private, must-revalidate"); // needed for IE
+		header('Content-type: application/force-download');
+		header('Content-Transfer-Encoding: Binary');
+		header("Content-length: ".filesize($file));
+		header("Content-disposition: attachment; filename = {$file_name}");
+		readfile("$file");
+		exec("/bin/rm /tmp/snort_blocked_{$save_date}.tar.gz");
+		exec("/bin/rm /tmp/snort_block.pf");
+		exec("/bin/rm /tmp/snort_blocked/snort_block.pf");
+		od_end_clean(); //importanr or other post will fail
+	}else{
+    echo 'Error no saved file.';
+	}
 
-</form>
+}
 
-<p>
+if ($_POST['save'])
+{
 
-<?php
+	/* input validation */
+	if ($_POST['save'])
+	{
+
+	
+	}
+		
+		/* no errors */
+		if (!$input_errors)
+		{
+		
+		$config['installedpackages']['snortglobal']['alertsblocks']['brefresh'] = $_POST['brefresh'] ? on : off;
+		$config['installedpackages']['snortglobal']['alertsblocks']['blertnumber'] = $_POST['blertnumber'];
+		
+		conf_mount_rw();
+		write_config();
+		//conf_mount_ro();
+		sleep(2);
+			
+		header("Location: /snort/snort_blocked.php");
+				
+		}
+		
+}
+
+/* build filter funcs */
+function get_snort_alert_ip_src($fileline)
+{
+        /* SRC IP */
+        $re1='.*?';   # Non-greedy match on filler
+        $re2='((?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))(?![\\d])'; # IPv4 IP Address 1
+
+        if ($c=preg_match_all ("/".$re1.$re2."/is", $fileline, $matches4))
+        {
+			$alert_ip_src = $matches4[1][0];
+        }
+
+return $alert_ip_src;
+
+}
 
-$blockedtab_msg_chk = $config['installedpackages']['snort']['config'][0]['rm_blocked'];
+function get_snort_alert_disc($fileline)
+{
+        /* disc */
+        if (preg_match("/\[\*\*\] (\[.*\]) (.*) (\[\*\*\])/", $fileline, $matches))
+        {
+			$alert_disc =  "$matches[2]";
+        }
+
+return $alert_disc;
+
+}
+
+/* build sec filters */
+function get_snort_block_ip($fileline)
+{
+        /* ip */
+        if (preg_match("/\[\d+\.\d+\.\d+\.\d+\]/", $fileline, $matches))
+        {
+			$alert_block_ip =  "$matches[0]";
+        }
+
+return $alert_block_ip;
+
+}
+
+function get_snort_block_disc($fileline)
+{
+        /* disc */
+        if (preg_match("/\]\s\[.+\]$/", $fileline, $matches))
+        {
+			$alert_block_disc =  "$matches[0]";
+        }
+
+return $alert_block_disc;
+
+}
+
+/* tell the user what settings they have */
+$blockedtab_msg_chk = $config['installedpackages']['snortglobal']['rm_blocked'];
 	if ($blockedtab_msg_chk == "1h_b") {
 		$blocked_msg = "hour";
 	}
@@ -157,18 +218,228 @@ $blockedtab_msg_chk = $config['installedpackages']['snort']['config'][0]['rm_blo
 		$blocked_msg = "28 days";
 	}
 
-echo "This page lists hosts that have been blocked by Snort. Hosts are automatically deleted every $blocked_msg.";
+if ($blockedtab_msg_chk != "never_b")
+{
+$blocked_msg_txt = "Hosts are removed every <strong>$blocked_msg</strong>.";
+}else{
+$blocked_msg_txt = "Settings are set to never <strong>remove</strong> hosts.";
+}
+	
+$pgtitle = "Services: Snort Blocked Hosts";
+include("head.inc");
 
 ?>
 
-<?php include("fend.inc"); ?>
+<body link="#000000" vlink="#000000" alink="#000000">
+<?php 
 
-</body>
-</html>
+include("./snort_fbegin.inc");
+
+echo "<p class=\"pgtitle\">";
+if($pfsense_stable == 'yes'){echo $pgtitle;}
+echo "</p>\n";
+
+/* refresh every 60 secs */
+if ($pconfig['brefresh'] == 'on' || $pconfig['brefresh'] == '')
+{
+	echo "<meta http-equiv=\"refresh\" content=\"60;url=/snort/snort_blocked.php\" />\n";
+}
+?>
+
+<script src="/row_toggle.js" type="text/javascript"></script>
+<script src="/javascript/sorttable.js" type="text/javascript"></script>
+<?php if ($savemsg) print_info_box($savemsg); ?>
+<table width="99%" border="0" cellpadding="0" cellspacing="0">
+   <tr>
+   		<td>
+<?php
+	$tab_array = array();
+	$tab_array[] = array("Snort Interfaces", false, "/snort/snort_interfaces.php");
+	$tab_array[] = array("Global Settings", false, "/snort/snort_interfaces_global.php");
+	$tab_array[] = array("Rule Updates", false, "/snort/snort_download_rules.php");
+	$tab_array[] = array("Alerts", false, "/snort/snort_alerts.php");
+    $tab_array[] = array("Blocked", true, "/snort/snort_blocked.php");
+	$tab_array[] = array("Whitelists", false, "/pkg.php?xml=/snort/snort_whitelist.xml");
+	$tab_array[] = array("Help & Info", false, "/snort/snort_help_info.php");
+	display_top_tabs($tab_array);
+?>
+	</td>
+	</tr>
+		<tr>
+		<td>
+		<div id="mainarea">
+		
+		<table id="maintable" class="tabcont" width="100%" border="0" cellpadding="0" cellspacing="0">
+		  <tr>
+			<td width="22%" colspan="0" class="listtopic">
+			Last <?=$bnentries;?> Blocked.
+			</td>
+			<td width="78%" class="listtopic">
+			This page lists hosts that have been blocked by Snort.&nbsp;&nbsp;<?=$blocked_msg_txt;?>
+			</td>
+		  </tr>
+    <tr>
+        <td width="22%" class="vncell">Save or Remove Hosts</td>
+		<td width="78%" class="vtable">
+		<form action="/snort/snort_blocked.php" method="post">
+        <input name="download" type="submit" class="formbtn" value="Download">
+        All blocked hosts will be saved.
+		<input name="remove" type="submit" class="formbtn" value="Clear">
+		<span class="red"><strong>Warning:</strong></span> all hosts will be removed.
+		</form>
+		</td>
+    </tr>
+    <tr>
+        <td width="22%" class="vncell">Auto Refresh and Log View</td>
+		<td width="78%" class="vtable">
+		<form action="/snort/snort_blocked.php" method="post">
+		<input name="save" type="submit" class="formbtn" value="Save">
+		Refresh
+        <input name="brefresh" type="checkbox" value="on" <?php if ($config['installedpackages']['snortglobal']['alertsblocks']['brefresh']=="on" || $config['installedpackages']['snortglobal']['alertsblocks']['brefresh']=='') echo "checked"; ?>>
+        <strong>Default</strong> is <strong>ON</strong>.
+		<input name="blertnumber" type="text" class="formfld" id="blertnumber" size="5" value="<?=htmlspecialchars($bnentries);?>">
+		Enter the number of blocked entries to view. <strong>Default</strong> is <strong>500</strong>.
+		</form>
+		</td>
+    </tr>
+		</table>
+		
+	</div>
+	</td>
+  </tr>
 
+					<table class="tabcont" width="100%" border="0" cellspacing="0" cellpadding="0">
+				<tr> 
+					<td>
+						<table id="sortabletable1" class="sortable" width="100%" border="0" cellpadding="0" cellspacing="0">
+						    <tr id="frheader">
+								<td width="5%" class="listhdrr">Remove</td>
+								<td class="listhdrr">#</td>
+								<td class="listhdrr">IP</td>
+								<td class="listhdrr">Alert Description</td>
+							</tr>
 <?php
 
-/* write out snort cache */
-write_snort_config_cache($snort_config);
+/* set the arrays */
+exec('/sbin/pfctl -t snort2c -T show > /tmp/snort_block.cache');
+$alerts_array = array_reverse(array_filter(explode("\n\n", file_get_contents('/var/log/snort/alert'))));
+$blocked_ips_array = str_replace('   ', '', array_filter(explode("\n", file_get_contents('/tmp/snort_block.cache'))));
+
+$logent = $bnentries;
+
+if ($blocked_ips_array[0] != '' && $alerts_array[0] != '')
+{
+
+	/* build the list and compare blocks to alerts */
+	$counter = 0;
+	foreach($alerts_array as $fileline)
+	{
+
+	$counter++;
 
-?>
\ No newline at end of file
+	$alert_ip_src =  get_snort_alert_ip_src($fileline);
+	$alert_ip_disc = get_snort_alert_disc($fileline);
+	$alert_ip_src_array[] = get_snort_alert_ip_src($fileline);
+
+		if (in_array("$alert_ip_src", $blocked_ips_array))
+		{
+			$input[] = "[$alert_ip_src] " . "[$alert_ip_disc]\n";
+		}
+	}
+
+	foreach($blocked_ips_array as $alert_block_ip)
+	{
+
+		if (!in_array($alert_block_ip, $alert_ip_src_array))
+		{
+			$input[] = "[$alert_block_ip] " . "[N\A]\n";
+		}
+	}
+
+	/* reduce double occurrences */
+	$result = array_unique($input);
+
+	/* buil final list, preg_match, buld html */
+	$counter2 = 0;
+
+	foreach($result as $fileline2)
+	{
+		if($logent <= $counter2)
+		continue;
+
+		$counter2++;
+
+		$alert_block_ip_str =  get_snort_block_ip($fileline2);
+
+		if($alert_block_ip_str != '')
+		{
+			$alert_block_ip_match = array('[',']'); 
+			$alert_block_ip = str_replace($alert_block_ip_match, '', "$alert_block_ip_str");
+		}else{	
+			$alert_block_ip = 'empty';
+		}
+
+		$alert_block_disc_str = get_snort_block_disc($fileline2);
+
+		if($alert_block_disc_str != '')
+		{
+			$alert_block_disc_match = array('] [',']'); 
+			$alert_block_disc = str_replace($alert_block_disc_match, '', "$alert_block_disc_str");
+		}else{	
+			$alert_block_disc = 'empty';
+		}
+
+		/* use one echo to do the magic*/
+		echo "<tr>
+			<td align=\"center\" valign=\"top\"'><a href='snort_blocked.php?todelete=" . trim(urlencode($alert_block_ip)) . "'>
+			<img title=\"Delete\" border=\"0\" name='todelete' id='todelete' alt=\"Delete\" src=\"../themes/{$g['theme']}/images/icons/icon_x.gif\"></a></td>
+			<td>&nbsp;{$counter2}</td>
+			<td>&nbsp;{$alert_block_ip}</td>
+			<td>&nbsp;{$alert_block_disc}</td>
+			</tr>\n";
+		
+	}
+
+}else{
+
+	/* if alerts file is empty and blocked table is not empty */
+	$counter2 = 0;
+
+	foreach($blocked_ips_array as $alert_block_ip)
+	{
+		if($logent <= $counter2)
+		continue;
+
+		$counter2++;
+		
+		$alert_block_disc = 'N/A';
+		
+		/* use one echo to do the magic*/
+		echo "<tr>
+			<td align=\"center\" valign=\"top\"'><a href='snort_blocked.php?todelete=" . trim(urlencode($alert_block_ip)) . "'>
+			<img title=\"Delete\" border=\"0\" name='todelete' id='todelete' alt=\"Delete\" src=\"../themes/{$g['theme']}/images/icons/icon_x.gif\"></a></td>
+			<td>&nbsp;{$counter2}</td>
+			<td>&nbsp;{$alert_block_ip}</td>
+			<td>&nbsp;{$alert_block_disc}</td>
+			</tr>\n";		
+	}
+}
+
+if ($blocked_ips_array[0] == '')
+{
+		echo "\n<tr><td colspan='3' align=\"center\" valign=\"top\"><br><strong>There are currently no items being blocked by snort.</strong></td></tr>";
+}else{
+		echo "\n<tr><td colspan='3' align=\"center\" valign=\"top\">{$counter2} items listed.</td></tr>";
+}
+
+?>
+						</table>
+		    		</td>
+		  		</tr>
+			</table>
+	</td>
+  </tr>
+</table>
+<?php include("fend.inc"); ?>
+</body>
+</html>
-- 
cgit v1.2.3